Hi all, I spent a little time for a new input validation module. It's not totally new module, but is based on Filter module's validation filter improvement RFC in many ways. [1]
As all of us knew already, input validation is the most important practice in secure coding. [2][3] Yet, we don't provide usable feature out of box. Sadly, almost all apps do not have proper input validation at trust boundary. Unless we improve filter's validation, we need usable basic validator by default. IMO. Since I didn't get much feedbacks during the RFC discussion, I cannot tell what part is disliked. I guess too much features in filter is one reason. Another is messed up codes/features by providing both "filter" and "validation". Validator for PHP7 (validate module) gets rid of unneeded features. It only has features for basic PHP data type validations. Validation rule(spec) array is flexible enough. Almost any types of inputs could be handled by multiple and nested validation rules. Except some minor features like overflow checks, most planned features are implemented. https://github.com/yohgaki/validate-php Although the code is based on filter module's code, it's almost full rewrite except validation logic came from filter. Please consider this as under development module. Feedbacks are appreciated. Regards, [1] https://wiki.php.net/rfc/add_validate_functions_to_filter [2] https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices [3] https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide -- Yasuo Ohgaki yohg...@ohgaki.net
