On Mon, Sep 4, 2017 at 3:33 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi all, > > I spent a little time for a new input validation module. It's not totally > new module, but is based on Filter module's validation filter improvement > RFC in many ways. [1] > > As all of us knew already, input validation is the most important practice > in secure coding. [2][3] Yet, we don't provide usable feature out of box. > Sadly, almost all apps do not have proper input validation at trust > boundary. Unless we improve filter's validation, we need usable basic > validator by default. IMO. > > Since I didn't get much feedbacks during the RFC discussion, I cannot tell > what part is disliked. I guess too much features in filter is one reason. > Another is messed up codes/features by providing both "filter" and > "validation". > > Validator for PHP7 (validate module) gets rid of unneeded features. It > only has features for basic PHP data type validations. Validation > rule(spec) array is flexible enough. Almost any types of inputs could be > handled by multiple and nested validation rules. > > Except some minor features like overflow checks, most planned features are > implemented. > > https://github.com/yohgaki/validate-php > > Although the code is based on filter module's code, it's almost full > rewrite except validation logic came from filter. Please consider this as > under development module. > Feedbacks are appreciated. > > Regards, > > [1] https://wiki.php.net/rfc/add_validate_functions_to_filter > [2] https://www.securecoding.cert.org/confluence/display/ > seccode/Top+10+Secure+Coding+Practices > [3] https://www.owasp.org/index.php/OWASP_Secure_Coding_ > Practices_-_Quick_Reference_Guide > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > I thought it would be nice to have PHP script version for Validate PHP. It a lot easier to modify API as needed. So I spend few hours last weekend. https://github.com/yohgaki/validate-php-scr Caution, I just wrote it and didn't debug it yet. However, it is good enough to play with, I suppose. API differs a little. This has more simplified parameter structure. Suggestions and comments are appreciated. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
