Subject: | This class is unusable in the... |
Summary: | Package rating comment |
Messages: | 2 |
Author: | Artur Graniszewski |
Date: | 2011-01-10 09:38:55 |
Update: | 2011-01-10 12:10:02 |
|
|
|
Artur Graniszewski rated this package as follows:
Utility: | Bad |
Consistency: | Bad |
Examples: | Insufficient |
|
Artur Graniszewski - 2011-01-10 09:38:56
This class is unusable in the current form.
There are some major bugs:
1) IP validation is wrong: "/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
in this case your class will tell me that an IP 0.999.999.999 is valid!
2) String validation is wrong: ctype_alpha() function allows only [a-zA-Z] letters, in this case "i've got 99 dollars" will not be a valid string (but it should!)
3) URL validation is wrong: "@^(?:http://)?([^/]+)@i"
In this case URL: https://my-favourite-bank.com will be invalid, what's more URL: "http://<script>alert("XSS injection");</script>" will be valid!
4) Extension validation is wrong: file named "my.fake.jpg.exe" file will be validated as JPG image, not an exe file (which could contain a virus!)
5) What is the upload validator for?
I HIGHLY DISCOURAGE USING THIS CLASS. IT IS VERY INSECURE AND PROVIDES FALSE SENSE OF SAFETY.
Artur Graniszewski - 2011-01-10 12:10:02 - In reply to message 1 from Artur Graniszewski
Sorry, I haven't noticed one thing: "@^(?:http://)?([^/]+)@i", https://my-favourite-bank.com will be valid (because of question mark after http://) but so any other value, like "im not an URL!!!@#^*"
The same applies to email verification, there is virtually no problem to write "1212@121212" or "!!!!@#####" as a valid email.
Btw there is one mistake on my part, your extension validator works different than I've predicted from the source code, but there is much better solution to check file extension (see pathinfo() function)
|