Kamil Tekiela <tekiela...@gmail.com>: > These are just the things I found confusing and strange about the sanitize > filters. Let's try to put ourselves in the shoes of an average PHP > developer trying to comprehend these filters. It's quite easy to shoot > yourself in the foot if you try to use them. The PHP manual doesn't do a > good job of explaining them, but that's probably because they are not easy > to explain. I can't come up with good examples of when they should be used. >
I agree there are many confusing names/features/behaviors. IMO, input validation and output sanitization should be 2 different features. https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices Input validation is the 1st secure coding principle for input data handling. Output sanitization is the 7th secure coding principle for output data handling. Filter module is mixing these up. (And input validation should not sanitize input, but validate. Otherwise, the web app is not OWASP TOP 10 compliant. i.e. OWASP TOP 10 A09:2021 requires to detect DAST attacks) I wrote the input validation part years ago, if anyone is interested. https://github.com/yohgaki/validate-php (Obsolete C module. Do not use) https://github.com/yohgaki/validate-php-scr (PHP library) -- Yasuo Ohgaki yohg...@ohgaki.net
