[PHP] Filter Input: Inspekt

2007-11-20 Thread Manuel Vacelet 
Hi all,

Does anyone already heard about inspekt library ?
http://code.google.com/p/inspekt/

Quote from the web site:
Inspekt acts as a sort of 'firewall' API between user input and the
rest of the application. It takes PHP superglobal arrays, encapsulates
their data in an cage object, and destroys the original superglobal.
Data can then be retrieved from the input data object using a variety
of accessor methods that apply filtering, or the data can be checked
against validation methods. Raw data can only be accessed via a
'getRaw()' method, forcing the developer to show clear intent.

It seems very interesting unfortunately I didn't see any discussion
channel attached to this project and the project seems rather young.
So it's hard to tell if this is an active project we can rely on for a
long term usage.

Maybe some of you already use it ?

-- Manuel

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Filter input

2007-10-12 Thread tedd 

At 5:17 PM +0200 10/11/07, Manuel Vacelet wrote:

The thing that remains not very clear to me is where validation stop
and where application logic start.



Forgive me if I'm stating the obvious.

For me, there isn't a variable that I receive in any of my scripts 
that I don't know what it should be (exact or range) and, as such, I 
filter accordingly.


A very good book on this subject is Chris Shiflett's PHP Security 
(http://shiflett.org/).


He uses a methodology of clean variables that answers the question you pose.

As for me, the acquiring any variables outside my script requires 
checking -- it's a one part process and not two.


Cheers,

tedd

--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Filter input

2007-10-11 Thread Manuel Vacelet 
Hi all,

I repeat the mantra 'filter input, escape output' every day before
writing any line of code.
About filter input I use to develop my own filter but I don't like
this solution as it's error prone (my regexp may be wrong, I don't
like to re-invent the wheel that much, ...).

I'd like to know if there is a library that could help me. I identified:
- PEAR Validate:
  * seems nice
  * but no activity since ~1year and still beta.

- PEAR HTML_QuickForm:
  * validation is a part of its job.
  * not very usable if you only want to validate input (need to
declare each element before, access to invalid element not easy).

- PHP Filter:
  * Require php 5.2
  * As it's embedded in the php core, if there is a security hole we
need to wait for a new php version to fix the bug.

Is there any other library I need to investigate ?
What are you using for your own developments ?

-- Manuel

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Filter input

2007-10-11 Thread Jim Lucas 

Manuel Vacelet wrote:

Hi all,

I repeat the mantra 'filter input, escape output' every day before
writing any line of code.
About filter input I use to develop my own filter but I don't like
this solution as it's error prone (my regexp may be wrong, I don't
like to re-invent the wheel that much, ...).

I'd like to know if there is a library that could help me. I identified:
- PEAR Validate:
  * seems nice
  * but no activity since ~1year and still beta.

- PEAR HTML_QuickForm:
  * validation is a part of its job.
  * not very usable if you only want to validate input (need to
declare each element before, access to invalid element not easy).

- PHP Filter:
  * Require php 5.2
  * As it's embedded in the php core, if there is a security hole we
need to wait for a new php version to fix the bug.

Is there any other library I need to investigate ?
What are you using for your own developments ?

-- Manuel


What are you wanting to validate?

Do you want a package/class/function set that when called will validate 
different types of input?
Email, string, int, etc...

--
Jim Lucas

   Some men are born to greatness, some achieve greatness,
   and some have greatness thrust upon them.

Twelfth Night, Act II, Scene V
by William Shakespeare

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Filter input

2007-10-11 Thread Manuel Vacelet 
On 10/11/07, Jim Lucas [EMAIL PROTECTED] wrote:
 What are you wanting to validate?

 Do you want a package/class/function set that when called will validate 
 different types of input?
 Email, string, int, etc...

Basically yes.
I want to validate:
- type: (string, int, float, ..)
- characteristics (length, allowed characters, ...)
- nature (email, ISBN, ...)

I also want this lib. to let me define my own rules.
For instance, I'm dealing with parameters that looks like 'field_33',
'field_1', 'label', 'title'
I want to be able to tells:
validate stuff that match:
- (field_[0-9]+ or [a-z]+)
and maybe in some cases
- (field_[0-9]+ or label or title)

The thing that remains not very clear to me is where validation stop
and where application logic start.

Example:
A given 'item' (value = 7) have 3 'fields':
- field_33
- field_5
- label

When it comes to validate the fields value of the item '7'
should I validate 'field' against
- ('field_33', 'field_5', 'label')
  - I validate the data are well formed AND coherent.
or
-('field_[0-9]+', [a-z]+)
  - I only care about the form and I let the application part deal
with coherency later.

I don't know if I'm clear enough!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] filter input; escape output; Email Text

2007-07-20 Thread Richard Lynch 
So, I'm trying to be more consistent about escaping my output.

I do something like this (only prettier):

if (!isset($_REQUEST['blah_id'])) error_out(Bad blah_id input);
$blah_id = (int) $_REQUEST['blah_id'];
$blah_id_sql = mysql_real_escape_string($blah_id, $connection);
$query = select title from blah where blah_id = $blah_id_sql;
$blah = mysql_query($query, $connection) or die(DB Error);
list($title) = mysql_fetch_row($blah);
$title_html = htmlentities($title);
$title_email = SOME_FUNCTION_HERE($title);

What function should be used to escape output to make it 100% kosher
for an email Subject and/or Body, in a plain-text email?

The original title came from the outside world, had
mysql_real_escape_string() applied to it, and was crammed into the DB.

It could have ANY kind of malicious text in it.

We do NOT send (and will NEVER send) HTML enhanced (cough, cough) emails.

For simplicity sake, I'd probably be happy with a more restrictive
function that covered both Subject and Body in this instance.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php