PHP in Action

I'm reading Chris Shiflett's Essential PHP Security. He suggests making sure all input is filtered by putting it in an array called $clean after it's filtered. This is a way to make sure you don't forget to filter any input, so that only filtered data enters the bowels of the application.

I like the idea, but it collides with common practice among the us object bigots in the PHP world, which is having a Request class, instantiating it and passing it around.

I can think of several ways to accomplish something similar with a Request object. One is something along the lines of Marco Tabini's trick of wrapping $_GET and $_POST Filter object, using ArrayAccess which allows them to be used as objects while still looking superficially like the original arrays.

My problem with this is not the clever ArrayAccess trick, but the fact that it's based on using different methods (html(), email(), etc.) to get at the contents of the request depending on what you want to do with it. It's simple, but what I would prefer is to be able to create a validator that contains a set of validation rules for each variable in the request, and let that take care of the filtering:

$request = new Request;
$validator = ... // Whatever we need to create the appropriate validator
$valid = $validator->validate($request);

If $valid is FALSE, we send a response back to the user, asking for corrected input.

The problem is what happens if the validator doesn't validate everything. There is no guarantee that the validator contains validition code for all the variables in the HTTP request, so dangerous input may go unnoticed.

A way to avoid that might be to let the validator create a new request object that only contains the variables that have actually been validated:

$request = new RawRequest;
$validator = ... // Whatever we need to create the appropriate validator
$clean = $validator->validate($request);

We can let $clean belong to different class--say, FilteredRequest--that is much more open to the world than the RawRequest does not expose its contents except by some less-than-obvious method such as getForValidation().

How to implement this is another story with its own challenges.

• Main
• Archives

• How code comments deteriorate
• How harmful is "harmful"?
• Comments considered harmful
• The one-line web framework
• How to test everything
• Zend_Test
• More beautiful code
• Beautiful code
• Refactoring is design
• Get links with XPath

• Application design [19]
• PHP [28]
• Refactoring [3]
• Frameworks [4]
• Testing [13]
• Ruby [3]
• Smidig2008 [1]
• Java [1]
• General [0]
• CSS [0]
• JavaScript/Ajax [0]
• Me [4]
• Vim [1]
• Humor [0]

• RSS 0.90
• RSS 1.0
• RSS 2.0
• Atom