• aberba (6/6) Dec 11 2016 In php, I use built-in functions like
• Nicholas Wilson (6/12) Dec 11 2016 You can enforce that the string that you receive is an email
• aberba (6/12) Dec 12 2016 Nice.
• Nicholas Wilson (9/21) Dec 12 2016 All the bindings on code.dlang.org should be equally capable,
• Adam D. Ruppe (15/19) Dec 15 2016 Well, it depends what you are doing with it. If you are just
• Bauss (10/22) Dec 12 2016 With vibe.d I would definitely go with mysql-native instead since
• Adam D. Ruppe (11/12) Dec 15 2016 I wouldn't use those functions anyway in most cases: instead of

aberba <karabutaworld gmail.com> writes:

In php, I use built-in functions like 
filter_var(FILTER_VALIDATE_EMAIL, $email). There are other 
constants for different data types.

Again, there is mysqli_real_escape_string() for escaping SQL 
injection/harmful characters.


What are my options in vibe.d or even D?

Nicholas Wilson <iamthewilsonator hotmail.com> writes:

On Sunday, 11 December 2016 at 18:30:54 UTC, aberba wrote:
 In php, I use built-in functions like 
 filter_var(FILTER_VALIDATE_EMAIL, $email). There are other 
 constants for different data types.

You can enforce that the string that you receive is an email 
address with `isEmail` from `std.net.isemail`

 Again, there is mysqli_real_escape_string() for escaping SQL 
 injection/harmful characters.


 What are my options in vibe.d or even D?

What sql library are you using? there is probably a function in 
that somewhere, that does sanitisation, or use prepared 
statements.

aberba <karabutaworld gmail.com> writes:

On Monday, 12 December 2016 at 00:42:54 UTC, Nicholas Wilson 
wrote:
 On Sunday, 11 December 2016 at 18:30:54 UTC, aberba wrote:

 You can enforce that the string that you receive is an email 
 address with `isEmail` from `std.net.isemail`

Nice.

 What sql library are you using? there is probably a function in 
 that somewhere, that does sanitisation, or use prepared 
 statements.

Will look into that. Currently planning to use mysql-lited (not 
sure which one is more capable though)



How about alternative to php strip_tags(), strip_slash() ?

Nicholas Wilson <iamthewilsonator hotmail.com> writes:

On Monday, 12 December 2016 at 10:25:05 UTC, aberba wrote:
 On Monday, 12 December 2016 at 00:42:54 UTC, Nicholas Wilson 
 wrote:
 On Sunday, 11 December 2016 at 18:30:54 UTC, aberba wrote:

 You can enforce that the string that you receive is an email 
 address with `isEmail` from `std.net.isemail`

 Nice.

 What sql library are you using? there is probably a function 
 in that somewhere, that does sanitisation, or use prepared 
 statements.

 Will look into that. Currently planning to use mysql-lited (not 
 sure which one is more capable though)

All the bindings on code.dlang.org should be equally capable, 
however some may be easier to use and/or be DB specific (e.g. the 
Postges bindings)

 How about alternative to php strip_tags(), strip_slash() ?

for strip_slash look for `replace` and friends in std.array

for strip_tags I would look for an xml library (e.g. arsd.dom) 
and parse it and then reprint it without the tags. There's 
probably a better way to do it though. I'm sure Adam Ruppe will 
be able to help you there.

Adam D. Ruppe <destructionator gmail.com> writes:

On Monday, 12 December 2016 at 11:32:42 UTC, Nicholas Wilson 
wrote:
 for strip_tags I would look for an xml library (e.g. arsd.dom) 
 and parse it and then reprint it without the tags. There's 
 probably a better way to do it though. I'm sure Adam Ruppe will 
 be able to help you there.

Well, it depends what you are doing with it. If you are just 
outputting user data, I wouldn't allow any HTML at all... but I'd 
do it by encoding it all. So if they write "<script>" in the 
form, the output will be "&lt;script&gt;", which is harmless.

dom.d's htmlEntitiesEncode will do that:

http://dpldocs.info/experimental-docs/arsd.dom.htmlEntitiesEncode.html

auto safe = htmlEntitiesEncode(user_data);


Compare htmlentities() in PHP.



If you want to allow some HTML but not all, then yeah, you can 
use the  full DOM parser and rip stuff out that way. 
Element.stripOut 
<http://dpldocs.info/experimental-docs/arsd.dom.Element.stripOut.html> can help
with that, or innerText
<http://dpldocs.info/experimental-docs/arsd.dom.Element.innerText.1.html>.


ask me if you need more

Bauss <jj_1337 live.dk> writes:

On Monday, 12 December 2016 at 10:25:05 UTC, aberba wrote:
 On Monday, 12 December 2016 at 00:42:54 UTC, Nicholas Wilson 
 wrote:
 On Sunday, 11 December 2016 at 18:30:54 UTC, aberba wrote:

 You can enforce that the string that you receive is an email 
 address with `isEmail` from `std.net.isemail`

 Nice.

 What sql library are you using? there is probably a function 
 in that somewhere, that does sanitisation, or use prepared 
 statements.

 Will look into that. Currently planning to use mysql-lited (not 
 sure which one is more capable though)



 How about alternative to php strip_tags(), strip_slash() ?

With vibe.d I would definitely go with mysql-native instead since 
it's already compatible with it.

See: https://github.com/mysql-d/mysql-native

vibe.d and D in general doesn't suffer from the same things PHP 
does when it comes to sanitizing.

As long as you use prepared statements, then you won't suffer 
from it.

It's much safer to validate data, than sanitize it. That way you 
don't get garbage either.

Adam D. Ruppe <destructionator gmail.com> writes:

On Monday, 12 December 2016 at 10:25:05 UTC, aberba wrote:
 How about alternative to php strip_tags(), strip_slash() ?

I wouldn't use those functions anyway in most cases: instead of 
stripping stuff, just encode it properly for the output.

So, if it is being output to JSON or javascript, json encode it. 
If it is going to HTML, html encode it. If a URL, url encode it. 
If to a database, use a prepared statement.

You may need to use multiple layers. A link may be both URL and 
HTML encoded, because first it is a url, then it is being added 
to a html document so it needs that too.

I don't know the vibe library, but my dom.d has a bunch of 
options for html encode.