Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Zend Framework Blog:
Validate data using zend-inputfilter
Jun 16, 2017 @ 09:22:37

Matthew Weier O'Phinney is back on the Zend Framework blog today with a spotlight on another component of the Zend Framework. This time he features zend-inputfilter, a useful component for filtering the data coming into your application from your users.

In our previous two posts, we covered zend-filter and zend-validator. With these two components, you now have the tools necessary to ensure any given user input is valid, fulfilling the first half of the "filter input, escape output" mantra.

[...] To solve [the single shot validation] problem, Zend Framework provides zend-inputfilter. An input filter aggregates one or more inputs, any one of which may also be another input filter, allowing you to validate complex, multi-set, and nested set values.

As in the other tutorials in the series, Matthew walks you through the installation of the component via Composer and briefly describes how it operates. He then includes a code example of creating a new InputFilter instance, making inputs, attaching validators to them and then ensuring everything validates in the chain with an isValid call. He then covers input specifications - configurations based on array values - to define validators on the input elements. He ends the post looking at input filters, how to manage them and defining them by specification. He also mentions a few other pieces fo functionality the component includes but he didn't cover here.

tagged: zendinputfilter component zendframework series input filter chain

Link: https://framework.zend.com/blog/2017-06-15-zend-inputfilter.html

Zend Framework Blog:
Filter input using zend-filter
Jun 09, 2017 @ 10:58:19

The Zend Framework blog has posted a new tutorial covering a single component of the framework. In this latest article ZF lead developer Matthew Weier O'Phinney covers the zend-filter component for filtering input from your users.

When securing your website, the mantra is "Filter input, escape output." We previously covered escaping output with our post on zend-escaper. We're now going to turn to filtering input.

Filtering input is rather complex and spans a number of practices: filtering/normalizing input [and] validating input. For now, we're going to look at the first item, filtering and normalizing input, using the component zend-filter.

He shows you how to get the component installed, via Composer, and talks about some of the dependencies it needs, optional and required. Since they'll be using the "FilterChain" functionality, he also requires that. He moves into the code, showing the interface required for a validator to work (basically just defining a "filter" method). He talks about some of the common filtered included and how to refactor custom validation handling into a FilterChain performing the same operations. He ends with another example of reading from a file and how to use it on an array of values, each line as a string from the file.

tagged: zendframework component tutorial introduction zendfilter input

Link: https://framework.zend.com/blog/2017-06-08-zend-filter.html

Sebastian de Deyne:
Normalize Your Values on Input
Mar 11, 2016 @ 11:55:58

In a post to his site Sebastian de Deyne makes the suggestion that you should normalize your values (input) as soon as possible.

Dynamic languages allow us to pass anything as a parameter without requiring a specific type. In turn, this means we often need to handle some extra validation for the data that comes in to our objects.

This is a lightweight post on handling your incoming values effectively by normalizing them as soon as possible. It's a simple guideline worth keeping in mind which will help you keep your code easier to reason about.

He gives an example of a HtmlClass object instance that can take in either a single string or an array of strings. With this structure he shows the complexity it would add for methods like toArray and toString. Instead he recommends normalizing the value in the constructor, making it an array if it's not already. The the code required in the rest of the class to use/translate it is much simpler.

tagged: normalize values input array string example tutorial

Link: https://sebastiandedeyne.com/posts/2016/normalize-your-values-on-input

SitePoint PHP Blog:
More Tips for Defensive Programming in PHP
Jan 25, 2016 @ 12:07:48

The SitePoint PHP blog has posted a tutorial continuing on from some previous advice with even more defensive programming practices you can use in your PHP applications.

Many people argue against defensive programming, but this is often because of the types of methods they have seen espoused by some as defensive programming. Defensive programming should not be viewed as a way to avoid test driven development or as a way to simply compensate for failures and move on. [...] What are these methods, if not ways to anticipate that your program may fail, and either prevent those, or else ways in which to handle those failures appropriately?

They go on to talk about the ideas of "failing fast" when errors happen in your application with an extra suggestion added on - "fail loud" too. The tutorial then looks at four different places where more defensive programming techniques can be applied (and how):

  • Input validation
  • Preventing Accidental Assignment in Comparisons
  • Dealing with Try/Catch and Exceptions
  • Transactions

They end with a recommendation that, while you should fail fast and loud when issues come up, be sure it's not to the determent of the overall user experience or sharing messages with users that may just confuse them.

tagged: tutorial series defensive programming tips failfast input validation assignment trycatch transaction

Link: http://www.sitepoint.com/more-tips-for-defensive-programming-in-php/

Derick Rethans:
Questions from the Field: Should I Escape My Input, And If So, How?
Jan 27, 2015 @ 09:22:04

In his latest post Derick Rethans shares his answer to a question he was asked at a recent PHP conference regarding the escaping of input before use in a MongoDB query.

At last weekend's PHP Benelux I gave a tutorial titled "From SQL to NoSQL". Large parts of the tutorial covered using MongoDB—how to use it from PHP, schema design, etc. I ran a little short of time, and since then I've been getting some questions. One of them being: "Should I escape my input, and if so, how?". Instead of trying to cram my answer in 140 characters on Twitter, I thought it'd be wise to reply with this blog post. The short answer is: yes, you do need to escape.

He uses the rest of the post to get into the longer answer, a bit more detail about why you should escape and what kinds of things can be done. He points out that, because of how MongoDB queries are created, SQL injection is much more difficult. He does remind you that superglobals can also be used to send arrays too which could lead to unexpected data input. He gives an example of how this would work and why it would be a problem.

So although MongoDB's query language does not require you to build strings, and hence "escape" input, it is required that you either make sure that the data is of the correct data type.
tagged: escape input mongodb phpbnl15 question answer datatype

Link: http://derickrethans.nl/escape-input.html

Hari KT:
Aura Input Form Inside Slim Framework
Sep 08, 2014 @ 10:55:13

Hari KT has a new post to his site today showing how you can integrate the Aura PHP components into a Slim framework application for input handling, like from a form. Aura PHP is a set of decoupled components for things like CLI handling, dependency injection and SQL requests (among others).

Rob Allen wrote about Integrating ZF2 forms into Slim. I did write how you can use Aura.Input and Aura.Html to create standalone form for PHP. This time I felt I should write about integrating aura input inside Slim.

He includes the Composer configuration to install the HTML and Input components as well as an up-to-date version of the Slim framework. Code showing how to create the form class (a "Contact form") is included, showing both the creation of the elements and the filtering/validation checks put on each. He shows how the Slim routes would handle the request as well as how the view processes the request and displays the form via a helper. You can get the full working code in this repository over on GitHub.

tagged: auraphp framework slim form input html tutorial

Link: http://harikt.com/blog/2014/09/02/aura-input-form-inside-slim-framework/

Greg Freeman:
Processing data with PHP using STDIN and Piping
Nov 18, 2013 @ 10:24:56

Greg Freeman has a post today looking at using streams and STDIN in PHP to handling incoming data (like to a CLI script).

PHP streams are still lacking in documentation and are rarely used compared to other PHP features. This is a shame because they can be really powerful and I have used them to gain a lot of performance when doing things such as processing log files. One of the more powerful features of Linux is the ability to pipe in data from another program, it’s often faster to offload tasks to an existing linux user space program than to do it in PHP and the added benefit is that you gain multi core processing which is not possible with standard PHP.

He talks briefly about the "pipe" character and how it allows you to send the output from one command to another. He shows how to mimic this same kind of input handling in PHP using the "php://stdin" stream and a fopen function call. He gets a bit more in-depth into how the streams work (blocking) and a bit of configuration and data you can get about the current streams. The post finishes with an example of a non-blocking input handler that will automatically end execution if no data is given within three seconds.

tagged: data process stdin input handling tutorial pipe

Link: http://www.gregfreeman.org/2013/processing-data-with-php-using-stdin-and-piping/

Paul Jones:
Aura Has New Releases: Input, Sql, and View
Sep 18, 2013 @ 09:58:54

As Paul Jones mentions in his most recent post (pulled from the Aura blog), the Aura framework has some new releases of its component packages - specifically Input, Sql and View.

On the heels of last week’s slew of releases, we have three followups! The Aura.Input package got a feature-level bump to 1.1.0, with a new FormFactory. Thanks to Hari KT for championing that one. Aura.Sql is now at 1.3.0, due to lots of work from MAXakaWIZARD to provide SQLite- and PostgreSQL-specific query objects. Finally, the Aura.View package got a bugfix and is now at 1.2.1; it handles content-type negotiation better for those times when there is no Accept header.

If you'd like more information about the Aura framework, check out the project site or each of the packages that make it up. Aura is a decoupled set of components without additional dependencies.

tagged: aura framework release input sql view component dependency

Link: http://paul-m-jones.com/archives/4731

David Müller:
Why URL validation with filter_var might not be a good idea
Sep 20, 2012 @ 08:09:31

David Müller has a new post to his site today showing why validating URLs with filter_var is a good thing for the security of your application.

Since PHP 5.2 brought us the filter_var function, the time of such [regular expressions-based] monsters was over. [With] the simple, yet effective syntax [and] with a third parameter, filter flags can be passed, [...] 4 flags are available [for URL filtering].

He shows how to use it to filter out a simple XSS issue (a "script" tag in the URL) and some examples of issues that the filter_var function doesn't prevent - like injection of other schemes (like "php://" or "javascript://"). He recommends adding a wrapper around the method to check for the correct scheme (ex. "http" or "https" for URLs) and reminds you that filter_var is not multibyte capable.

tagged: filtervar url validation security filter input

Link:

PHPMaster.com:
Input Validation Using Filter Functions
Jun 01, 2012 @ 15:53:28

On PHPMaster.com today there's a good tutorial that gives you some methods to do one of the most important things in any application - validating input. Their examples show how to use some of PHP's own filter functions to accomplish this.

Filter functions in PHP might not be sexy, but they can improve the stability, security, and even maintainability of your code if you learn how to use them correctly. In this article I’ll explain why input validation is important, why using PHPs built-in functions for performing input validation is important, and then throw together some examples (namely using filter_input() and filter_var()), discuss some potential pitfalls, and finish with a nice, juicy call to action.

He talks about why validation is important to protect your application (and users) from malicious things like cross-site scripting. He emphasizes the use of PHP's own filter methods because they are established and, well, included in the language - no additional libraries needed. Example code is included showing how to use them to filter email addresses and check that something is an integer.

You can find out more about these functions on their manual pages: filter_input, filter_var.

tagged: input validation filter tutorial bestpractice filtervar filterinput

Link: