Welcome! » Log In » Create A New Profile

phpInputValidator

Posted by Technocrat 
phpInputValidator
July 28, 2009 04:39PM

Hey,

I was wonder if you had time if you could take a look at a project I have been working on to validate php input and give me any feed back. It can work in conjunction with HTMLPurifier.

https://www.assembla.com/wiki/show/phpInputValidator/

Thanks

Re: phpInputValidator
July 29, 2009 01:59AM

it's simple.. yes it can be used.. But you should only ever use HTMLPurifier when you are dealing with Input that Contains HTML content only!

input such as plain text from textboxes/textareas that contain no HTML, you should use another method.

you maybe interested in PHP filters such as filter_var() and filter_input() (use this for validating $_GET, $_POST etc, and use the filter_var() for the rest.

see http://uk3.php.net/filter_var for more details on filter_var() & filter_input()

Re: phpInputValidator
July 29, 2009 10:50AM
I was wonder if you had time if you could take a look at a project I have been working on to validate php input and give me any feed back.

I'm curious to know what this does differently from PHP's new built-in input validator.

Re: phpInputValidator
July 29, 2009 11:36AM

it's simple.. yes it can be used.. But you should only ever use HTMLPurifier when you are dealing with Input that Contains HTML content only!

input such as plain text from textboxes/textareas that contain no HTML, you should use another method.

HTMLPurifier is only included/used when invoked and the value is a string. So to use is you would have to do:

$textarea = $getvar->get('textarea', 'POST', 'string', array('purify' => _PIV_VAR_PURIFY));

If not invoked it use a preg_match Feyd came up with to strip html tags. If its a string.

you maybe interested in PHP filters such as filter_var() and filter_input() (use this for validating $_GET, $_POST etc, and use the filter_var() for the rest..... I'm curious to know what this does differently from PHP's new built-in input validator.

I actually use filter_var to validate certain types because it was quicker and more efficient.

As to how its different, here are the things off the top of my head. This is not everything.

  • It can validate more types (some examples: phone numbers, credit cards, zip codes)
  • It can validate some types better than filter can.
    • I have all the current allowed tld and plan to keep that up to date. These are used to validate urls and emails
    • I used iamcal's email parsing regex which is nearly perfect at validating email addresses
  • You can extend the validation with your own regex or functions, or both.
  • You can have it return a value of your choosing if it doesn't validate or exist
  • You can have it validate against a set range of values. So if you want the value to only be red, blue, green, you can.
  • It has the ability to check for XSS and UNION attacks and then deal with them as you choose
  • Supports and can normalize multibyte
  • Can have it add slashes using a function of your choosing such as mysql_real_escape_string
Re: phpInputValidator
August 12, 2009 06:52PM

Anyone have a chance to check it out?

Re: phpInputValidator
August 13, 2009 03:17PM

Sorry, I have several unrelated projects going on right now and haven't really had a need to look at a PHP input filter. I'll keep your class in mind for the next time I do, though.

Sorry, you do not have permission to post/reply in this forum.