Page 1 of 1

What do people think about the filter extension?

Posted: Tue Jun 26, 2007 9:33 am
by Ollie Saunders
The filter extension is not something I've ever used so I was interested in what people think of it. Whenever I've ever needed to do any filtering I've always been able to use an existing PHP function, regex, or combination to achieve what I want in PHP code that I can easily modify, test and examine. Additionally there is the concern of portability that any new extension implies although I think this is a minute issue in my case.

Comments?

Posted: Tue Jun 26, 2007 9:40 am
by feyd
Honestly, I haven't used it as yet because I'm doing the majority of development in 5.1 still.

Re: What do people think about the filter extension?

Posted: Tue Jun 26, 2007 10:33 am
by The Phoenix
ole wrote:Whenever I've ever needed to do any filtering I've always been able to use an existing PHP function, regex, or combination to achieve what I want in PHP code that I can easily modify, test and examine.
You can choose to use it, or not. For example, the email regex isn't 100% RFC compliant (turns out none seem to be), so perhaps you want to use a different regex that is more effective. You can easily write your own and use it instead. If I remember correctly, the filter extension even lets you substitute a different regex into it.

However, it does provide a relatively well-designed set of commonly used filters that will make it easier for a majority of users to add filtering. Thats a *very* good thing in general. Whether its a great thing for your project is for you to determine.
ole wrote:Additionally there is the concern of portability that any new extension implies although I think this is a minute issue in my case.
Keep in mind that in php-5.2 and above, it is included by default. That's far from a majority of sites out there, but if you make your requirements 5.2+, then you are guaranteed its availability.

Personally, some of the filters are really useful for projects I work on. Unfortunately, so few sites run 5.2+ that its the equivalent of coding for projects years in the future. But if you control your deployment platform, its a real time-saver.

Posted: Tue Jun 26, 2007 10:52 am
by alex.barylski
Never even knew they existed. :P

I like mod_security myself...though it causes the occasional headache...

Posted: Tue Jun 26, 2007 11:57 am
by Ollie Saunders
Thanks guys. I think I'm going to use it because I have my own dedicated server. I think in general I should probably make more use of libraries et al. Today I've been through every single function reference section from .NET to Zlib deciding whether I want it or not and creating a really simple test case so that I can synchronize production and development server and test any new builds I do. Have a look

Code: Select all

<?php
ini_set('display_errors', true);
error_reporting(E_ALL | E_STRICT);
define('PRODUCTION', trim(`hostname`) === 'production');
$tests = $errors = $failures = 0;
function attest($actual, $expected, $strict = true)
{
    static $file = null;
    if (!$file) {
        $file = file(__FILE__);
    }
    $GLOBALS['tests']++;
    $result = $strict ? $actual === $expected : $actual == $expected;
    if ($result === false) {
        $GLOBALS['failures']++;
        $bt = debug_backtrace();
        do {
            $current = array_pop($bt);
        } while (is_array($current) && $current['function'] !== __FUNCTION__);
        $line = $current['line'];
        $code = array();
        preg_match('~attest\((.*),.*\)~s', $file[$line - 1], $code);
        $code = $code[1];
        $expected = var_export($expected, true);
        $actual = var_export($actual, true);
        echo "Attestment failed [$line]: Expected $expected from $code but got $actual\n";
    }
}
function errorHandle($errorCode, $str, $file, $line)
{
    $GLOBALS['errors']++;
    echo "Error occured [$line]: $str\n";
}
echo 'Server test, being performed by ' . __FILE__ . ':';
echo "\n-----------------------------------------------\n";
set_error_handler('errorHandle');
runTests();
restore_error_handler();
echo "\n$tests tests completed: $failures failures and $errors errors\n\n";


function runTests()
{
    if (PRODUCTION) {
        attest(version_compare(PHP_VERSION, "5.2.3"), 0);
    } else {
        attest(version_compare(PHP_VERSION, "5.1.2"), 0);
    }
    attest(ini_get('register_globals'), false, false);
    attest(ini_get('apc.enabled'), PRODUCTION, false);
    attest(ini_get('short_open_tag'), !PRODUCTION, false);
    attest(ini_get('log_errors'), PRODUCTION, false);

    attest(function_exists('spl_classes'), true);
    attest(function_exists('bcadd'), true);
    attest(function_exists('cal_days_in_month'), true);
    attest(function_exists('ctype_alnum'), true);
    attest(function_exists('curl_init'), true);
    attest(function_exists('dio_open'), false);
    attest(function_exists('dbx_connect'), false);
    attest(function_exists('dbm_open'), false);
    attest(function_exists('dbase_open'), false);
    attest(function_exists('dba_open'), false);
    attest(function_exists('dbplus_add'), false);
    attest(function_exists('cyrus_query'), false);
    attest(function_exists('cyrus_query'), false);
    attest(function_exists('cybermut_testmac'), false);
    attest(function_exists('cybercash_encr'), false);
    attest(function_exists('crack_check'), false); // may add this later
    attest(class_exists('DOMDocument'), true);
    attest(function_exists('domxml_open_file'), false); // an old extension that shouldn't be kept arround
    attest(function_exists('exif_imagetype'), true);
    attest(function_exists('expect_expectl'), false); // possibly dangerous
    attest(function_exists('expect_popen'), false);
    attest(function_exists('fam_open'), false);
    attest(function_exists('fdf_open'), false);
    attest(function_exists('finfo_open'), false);
    attest(function_exists('filepro'), false);
    attest(function_exists('filter_var'), true); // useful
    attest(function_exists('ibase_connect'), false);
    attest(function_exists('fbsql_connect'), false);
    attest(function_exists('ftp_connect'), true);
    attest(function_exists('geoip_id_by_name'), false);
    attest(function_exists('gettext'), true);
    attest(function_exists('gmp_init'), false);
    attest(function_exists('gnupg_encrypt'), false);
    attest(function_exists('gopher_parsedir'), false);
    attest(class_exists('HaruDoc'), false);
    attest(function_exists('hash'), true); // does no harm, usually I'll use mhash though
    attest(class_exists('HttpMessage'), false);
    attest(function_exists('hw_Connect'), false);
    attest(class_exists('HW_API'), false);
    attest(function_exists('db2_connect'), false);
    attest(function_exists('icap_open'), false);
    attest(function_exists('iconv'), true);
    attest(function_exists('id3_set_tag'), false);
    attest(function_exists('iis_add_server'), false);
    attest(function_exists('imagecreatetruecolor'), true);
    attest(function_exists('imagegd2'), true);
    attest(function_exists('imagegif'), true);
    attest(function_exists('imagepng'), true);
    attest(function_exists('imagejpeg'), true);
    attest(function_exists('imagettftext'), true);
    attest(function_exists('imagefilter'), true);
    attest(class_exists('Imagick'), false);
    attest(function_exists('imap_open'), false);
    attest(function_exists('ifx_connect'), false);
    attest(function_exists('ingres_connect'), false);
    attest(function_exists('ircg_pconnect'), false);
    attest(function_exists('json_encode'), PRODUCTION);
    attest(function_exists('kadm5_init_with_password'), false);
    attest(function_exists('ldap_connect'), true);
    attest(function_exists('libxml_clear_errors'), false);
    attest(function_exists('notes_body'), false);
    attest(function_exists('lzf_compress'), false);
    attest(function_exists('mail'), !PRODUCTION);
    attest(function_exists('mailparse_msg_create'), false);
    attest(function_exists('maxdb_character_set_name'), false);
    attest(function_exists('mcal_open'), false); // could be useful later however
    attest(function_exists('mcrypt_encrypt'), PRODUCTION);
    attest(class_exists('Memcache'), PRODUCTION);
    attest(function_exists('mhash'), PRODUCTION);
    attest(function_exists('mime_content_type'), false);
    attest(class_exists('SWFAction'), false); // could be useful later however
    attest(function_exists('udm_add_search_limit'), false);
    attest(function_exists('mssql_connect'), false);
    attest(function_exists('msession_connect'), false);
    attest(function_exists('msql_connect'), false);
    attest(function_exists('mb_substr'), true);
    attest(function_exists('muscat_get'), false);
    attest(function_exists('mysql_connect'), true);
    attest(class_exists('mysqli'), true);
    attest(function_exists('ncurses_init'), false); // interesting though
    attest(function_exists('newt_init'), false); // also interesting
    attest(function_exists('nsapi_virtual'), false);
    attest(function_exists('aggregate'), false);
    attest(function_exists('overload'), false);
    attest(function_exists('oci_connect'), false);
    attest(function_exists('odbc_connect'), false);
    attest(function_exists('openal_context_create'), false);
    attest(function_exists('openssl_open'), true);
    attest(function_exists('ora_exec'), false);
    attest(function_exists('ovrimos_exec'), false);
    attest(function_exists('px_create_fp'), false);
    attest(function_exists('parsekit_compile_file'), false);
    attest(function_exists('pcntl_exec'), false);
    attest(function_exists('preg_match'), true);
    attest(function_exists('PDF_activate_item'), false);
    attest(class_exists('PDO'), true);
    attest(class_exists('Phar'), true);
    attest(function_exists('posix_access'), false); // dangerous
    attest(function_exists('pg_connect'), false);
    attest(function_exists('printer_open'), false);
    attest(function_exists('recode'), false); // iconv and mbstring are better
    attest(function_exists('ps_new'), false);
    attest(function_exists('pspell_check'), false);
    attest(function_exists('qdom_tree'), false);
    attest(function_exists('radius_acct_open'), false);
    attest(function_exists('rar_open'), false);
    attest(function_exists('readline'), false);
    attest(function_exists('rpm_open'), false);
    attest(function_exists('runkit_lint'), false);
    attest(class_exists('SAMConnection'), false);
    attest(function_exists('satellite_object_to_string'), false);
    attest(class_exists('SDO_DataFactory'), false);
    attest(class_exists('SDO_DAS_XML'), false);
    attest(class_exists('SDO_DAS_Relational'), false);
    attest(function_exists('sem_acquire'), false);
    attest(function_exists('sesam_connect'), false);
    attest(function_exists('session_pgsql_get_field'), false);
    attest(function_exists('shmop_open'), false);
    attest(function_exists('simplexml_load_file'), true);
    attest(class_exists('SoapServer'), false);
    attest(function_exists('socket_accept'), false);
    attest(function_exists('sqlite_exec'), true);
    attest(function_exists('ssh2_connect'), false);
    attest(function_exists('stats_variance'), false);
    attest(function_exists('swf_viewport'), false);
    attest(class_exists('Swish'), false);
    attest(function_exists('sybase_query'), false);
    attest(function_exists('tcpwrap_check'), false);
    attest(class_exists('tidyNode'), false);
    attest(function_exists('token_get_all'), true);
    attest(function_exists('pfpro_init'), false);
    attest(function_exists('vpopmail_alias_add'), false);
    attest(function_exists('wddx_add_vars'), false);
    attest(function_exists('xattr_set'), false);
    attest(function_exists('xdiff_file_diff'), false);
    attest(function_exists('xml_parse'), false);
    attest(function_exists('xmlrpc_encode'), false);
    attest(class_exists('XMLReader'), false);
    attest(class_exists('XMLWriter'), false);
    attest(class_exists('XSLTProcessor'), true);
    attest(function_exists('xslt_create'), false);
    attest(function_exists('yaz_connect'), false);
    attest(function_exists('yp_all'), false);
    attest(function_exists('zip_open'), true);
    attest(function_exists('gzopen'), false);

    // these function should be installed but disabled by default:
    attest(function_exists('ereg_replace'), false);
    attest(function_exists('ereg'), false);
    attest(function_exists('eregi_replace'), false);
    attest(function_exists('eregi'), false);
    attest(function_exists('split'), false);
    attest(function_exists('spliti'), false);
    attest(function_exists('sql_regcase'), false);
    attest(function_exists('escapeshellarg'), false);
    attest(function_exists('escapeshellcmd'), false);
    attest(function_exists('exec'), false);
    attest(function_exists('passthru'), false);
    attest(function_exists('proc_close'), false);
    attest(function_exists('proc_get_status'), false);
    attest(function_exists('proc_nice'), false);
    attest(function_exists('proc_open'), false);
    attest(function_exists('proc_terminate'), false);
    attest(function_exists('shell_exec'), false);
    attest(function_exists('system'), false);

    $diff = array_diff(stream_get_filters(), array(
        'string.toupper', 'string.tolower',
        'string.base64',  'string.quoted-printable',
    ));
    attest(empty($diff), true);
    // probably need more gd attestations
}
It's not finished yet I'm going to go through the whole of appendix i and write attestations for the most secure PHP environment by default. You know having gone into this in detail I now think there is actually enough scope to write a book on PHP configuration alone. Not that I'm going to do I'm not really an expert in this field.