Page 1 of 2
PHP's Built in Input filtering: Pro or Against?
Posted: Sat Feb 10, 2007 1:18 pm
by Oren
So I've found this article pretty much by mistake:
http://devzone.zend.com/node/view/id/1113
Read the article AND the comments there, and share your thoughts...
Are you pro PHP's built in input filtering or against?
Posted: Sat Feb 10, 2007 3:22 pm
by Ambush Commander
I really can't pass judgment, since I haven't actually used input filter for a serious project yet.
I have two disagreements with it though:
- Being PHP 5.1+ is a major downer, since most projects have already developed their own in-house filtering solutions, and it's difficult to swap filter out for something else (no OO means no polymorphism!) (you could try reimplementing filter in PHP-space, but that's no fun).
- The documentation doesn't state exactly what the behavior of the sanitizing and validating filters is, giving PHP-space equivalent functionality. This makes most of the filters a sort of mystery meat: what exactly is an email as defined by FILTER_VALIDATE_EMAIL? They're probably not going by the RFC... But this is not an actual disagreement with the code. Just the docs.
Posted: Sat Feb 10, 2007 4:07 pm
by Christopher
I can really vote for a number of reasons:
1. Yet another filtering library is fine -- but people have to use it.
2. A better idea is to make best practices the easy thing to do by making choke points, like database libs and where output is sent to the response, where filtering is the natural thing to do (good-bye echo()?).
3. It is not OO
4. There should be some reasonable implementation for newbies and a more controllable one for advanced developers
5. And some controllable way to implement/remove across the board filters for the request, response and output to subsystems.
Posted: Sat Feb 10, 2007 4:19 pm
by timvw
The api for booleans is cluttered... But i already posted that

(Use the search luke)
Posted: Sat Feb 10, 2007 4:40 pm
by Oren
timvw wrote:The api for booleans is cluttered...
Yeah, that's what I thought too.
timvw wrote:But i already posted that

(Use the search luke)
Where? I mean... as a comment to the article? here on PHPDN? on the php.net site? Becasue I searched on these 3 and didn't find any 'luke'.
By the way, I'm against:
1. This whole idea leaves you without much control.
2. The syntax is really ugly. As someone posted as a comment to the article:
Just my 5 cents. I think that idea of standard variable filtering is good, but the syntax is realy ugly. Are you sure there can't be no other to creating filters not using functions with 4 parameters one of which is an array itself and two other are some STUPID_FOUR_WORDS_CONSTANTS.
P.S I liked the "STUPID_FOUR_WORDS_CONSTANTS" thingy

Posted: Sun Feb 11, 2007 4:04 am
by timvw
Oren wrote:
timvw wrote:But i already posted that

(Use the search luke)
Where? I mean... as a comment to the article? here on PHPDN? on the php.net site? Becasue I searched on these 3 and didn't find any 'luke'.
viewtopic.php?p=342183
Posted: Sun Feb 11, 2007 8:47 am
by Oren
Ok, cool

Posted: Sun Feb 11, 2007 11:04 pm
by Z3RO21
OO is the way to go in my opinion. I am in a class that acts as a web design team. I am experienced in PHP, but my fellow classmates are new to it. So far every book supplied to them for aid in PHP has nothing on OOP. I always insist on OOP programing. I am glad I am the project leader to ensure it is done with OOP

. But my vote is against, I would also prefer to write my own validation and filtering procedures.
Posted: Mon Feb 12, 2007 12:38 am
by timvw
Z3RO21 wrote:I would also prefer to write my own validation and filtering procedures.
Why? That people wrap an existing library into their application i can undestand... But i don't see a reason to write a library if there is one already that suffices my needs...
Posted: Mon Feb 12, 2007 3:04 am
by Maugrim_The_Reaper
I neither way inclined. It's a default extension so whoever is installing has a few options. My main concern is whether PHP developers will work with the extension or against it. Evidence to date is that folk will repeat the mistakes of the past and simply add some code to pretend it doesn't exist. After watching for a while now I think adoption is going to be very difficult...
They're probably not going by the RFC...
They use the same Regex as a component from PEAR - it claims to be RFC compliant but I suspect it's a bit more restrictive than that based on the regex length and a number of tests done in the past. Of course there are likely few regex's capable of covering the entire RFC anyway

. The extension C source isn't very long so it's surprisingly easy to follow how everything works in there.
I wish it were OO though - I do find that a bit of a stinker but I suppose that's off the point of its original goal.
Posted: Mon Feb 12, 2007 3:13 am
by CoderGoblin
Personally, I will look into the Zend Framework "
Zend_Input_Filter" when it is more mature.. At least then the email check may work (didn't last time I looked).
I agree that when you are looking at legacy data, changing it may cause problems, but when building from scratch it may be worth looking into along with TDD etc, etc, etc (so many new possibilities, so little time).
Posted: Mon Feb 12, 2007 3:19 am
by Christopher
Maugrim_The_Reaper wrote:I wish it were OO though - I do find that a bit of a stinker but I suppose that's off the point of its original goal.
And from what I read there won't be. I see the same thinking with the Zend Framework. They just don't understand the value of containers.
Posted: Mon Feb 12, 2007 3:20 am
by Maugrim_The_Reaper
As far as I am aware the ZF remains without an email regex. Last I checked they were discussing a very loose form outside the scope of the RFC. Not sure I agree with that - there'll always be a few exceptional users wondering why a login form is insisting their email is wonky

.
Zend_Filter_Input is now being challenged by some new Rule based classes - see Zend_Filter and Zend_Validate. All they need now is a filter manager and I can dump all that repetitive Zend_Filter_Input usage which seems to take up have the code I write for a controller action...
Posted: Mon Feb 12, 2007 3:50 am
by Christopher
Yes, but Zend_Filter and Zend_Validate still accept a single value instead of a container (e.g http request) -- so you need one per variable. That's pretty silly considering that each request var only as one or two filters or rules. It is easier to just call the filters and rules directly which just gets you back to Filter_Input's procedural style.
Posted: Mon Feb 12, 2007 4:04 am
by sike
i really dislike the procedural approach of that extension - so a big "DISLIKE" from me (:
another thing that makes a bit nervous is
“Another example: FILTER_VALIDATE_EMAIL say this is email: “
franta@centrum.cz”@seznam.cz is valid. A this “
vfranta@centrum.cz”@seznam.cz (added letter v) not. Is this corrent? I don’t think so. But I cannot corect this behaviour in PHP.”
It must a be a bug, the regexp is not perfect (which email regexp is…:). You can “fix” it using your own regexp.
cheers
Chris