[PHP] Filter Input: Inspekt
Hi all, Does anyone already heard about inspekt library ? http://code.google.com/p/inspekt/ Quote from the web site: Inspekt acts as a sort of 'firewall' API between user input and the rest of the application. It takes PHP superglobal arrays, encapsulates their data in an cage object, and destroys the original superglobal. Data can then be retrieved from the input data object using a variety of accessor methods that apply filtering, or the data can be checked against validation methods. Raw data can only be accessed via a 'getRaw()' method, forcing the developer to show clear intent. It seems very interesting unfortunately I didn't see any discussion channel attached to this project and the project seems rather young. So it's hard to tell if this is an active project we can rely on for a long term usage. Maybe some of you already use it ? -- Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Filter input
At 5:17 PM +0200 10/11/07, Manuel Vacelet wrote: The thing that remains not very clear to me is where validation stop and where application logic start. Forgive me if I'm stating the obvious. For me, there isn't a variable that I receive in any of my scripts that I don't know what it should be (exact or range) and, as such, I filter accordingly. A very good book on this subject is Chris Shiflett's PHP Security (http://shiflett.org/). He uses a methodology of clean variables that answers the question you pose. As for me, the acquiring any variables outside my script requires checking -- it's a one part process and not two. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Filter input
Hi all, I repeat the mantra 'filter input, escape output' every day before writing any line of code. About filter input I use to develop my own filter but I don't like this solution as it's error prone (my regexp may be wrong, I don't like to re-invent the wheel that much, ...). I'd like to know if there is a library that could help me. I identified: - PEAR Validate: * seems nice * but no activity since ~1year and still beta. - PEAR HTML_QuickForm: * validation is a part of its job. * not very usable if you only want to validate input (need to declare each element before, access to invalid element not easy). - PHP Filter: * Require php 5.2 * As it's embedded in the php core, if there is a security hole we need to wait for a new php version to fix the bug. Is there any other library I need to investigate ? What are you using for your own developments ? -- Manuel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Filter input
Manuel Vacelet wrote: Hi all, I repeat the mantra 'filter input, escape output' every day before writing any line of code. About filter input I use to develop my own filter but I don't like this solution as it's error prone (my regexp may be wrong, I don't like to re-invent the wheel that much, ...). I'd like to know if there is a library that could help me. I identified: - PEAR Validate: * seems nice * but no activity since ~1year and still beta. - PEAR HTML_QuickForm: * validation is a part of its job. * not very usable if you only want to validate input (need to declare each element before, access to invalid element not easy). - PHP Filter: * Require php 5.2 * As it's embedded in the php core, if there is a security hole we need to wait for a new php version to fix the bug. Is there any other library I need to investigate ? What are you using for your own developments ? -- Manuel What are you wanting to validate? Do you want a package/class/function set that when called will validate different types of input? Email, string, int, etc... -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Filter input
On 10/11/07, Jim Lucas [EMAIL PROTECTED] wrote: What are you wanting to validate? Do you want a package/class/function set that when called will validate different types of input? Email, string, int, etc... Basically yes. I want to validate: - type: (string, int, float, ..) - characteristics (length, allowed characters, ...) - nature (email, ISBN, ...) I also want this lib. to let me define my own rules. For instance, I'm dealing with parameters that looks like 'field_33', 'field_1', 'label', 'title' I want to be able to tells: validate stuff that match: - (field_[0-9]+ or [a-z]+) and maybe in some cases - (field_[0-9]+ or label or title) The thing that remains not very clear to me is where validation stop and where application logic start. Example: A given 'item' (value = 7) have 3 'fields': - field_33 - field_5 - label When it comes to validate the fields value of the item '7' should I validate 'field' against - ('field_33', 'field_5', 'label') - I validate the data are well formed AND coherent. or -('field_[0-9]+', [a-z]+) - I only care about the form and I let the application part deal with coherency later. I don't know if I'm clear enough! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] filter input; escape output; Email Text
So, I'm trying to be more consistent about escaping my output. I do something like this (only prettier): if (!isset($_REQUEST['blah_id'])) error_out(Bad blah_id input); $blah_id = (int) $_REQUEST['blah_id']; $blah_id_sql = mysql_real_escape_string($blah_id, $connection); $query = select title from blah where blah_id = $blah_id_sql; $blah = mysql_query($query, $connection) or die(DB Error); list($title) = mysql_fetch_row($blah); $title_html = htmlentities($title); $title_email = SOME_FUNCTION_HERE($title); What function should be used to escape output to make it 100% kosher for an email Subject and/or Body, in a plain-text email? The original title came from the outside world, had mysql_real_escape_string() applied to it, and was crammed into the DB. It could have ANY kind of malicious text in it. We do NOT send (and will NEVER send) HTML enhanced (cough, cough) emails. For simplicity sake, I'd probably be happy with a more restrictive function that covered both Subject and Body in this instance. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php