External and internal data

While creating a script in Parser, we deal with two main types of data. One of them is part of code. The other is incoming data received from HTML-forms, environment variables, files, and SQL-servers. Part of code is not to be proofed. Yet, when the data is received from a form filled in by a visitor, for example, it is potentially dangerous to output it as-is. Thus, we need to transform such data according to certain rules. The lion's share of such transformations is performed by Parser automatically, on its own. For example, if Parser must output data received from an HTML-form field, characters < and > contained in the input will be automatically substituted by &lt; and &gt; respectively. Yet, sometimes we will need to allow outputting this type of data to be output as-is, without any transformation.

The code created personally by the coder is regarded
clean. All incoming data is considered tainted.

Parser code-code is created personally by the coder and is therefore not to be proofed;

$form:field-outputs data sent by user through HTML-form;

$my_table[^table::sql{sql-query}]-data is retrieved from DB.

As for
$form:field, tainted data received from a form field will be automatically transformed and some characters will be substituted according to the built-in table of replacements. After this, they will be regarded as clean, not tainted. In other words, they will implicitly undergo operation untaint. Automatic transformation will be employed at the moment the data is output. Thus, a data retrieved from an DB and assigned to $my_table will be transformed when this data is output (sent to browser, saved to file or DB).

Besides, there may be a situation when the data should be either not transformed at all or transformed according to rules different from those used by default. For example, we allow a visitor to use HTML tags in the input, for example, for additional text formatting. Yet, since it is potentially dangerous (for example, a JavaScript submitted by user to guestbook may redirect other visitors' browsers to another site), Parser will by itself make replacement of "undesirable" characters according to predefined rules. This problem can be solved by using operator
untaint.


Copyright © 1997–2017 Art. Lebedev Studio | http://www.artlebedev.com Last updated: 20.09.2007