« Return to Thread: Concerns about Zend_Filter_Input

RE: Concerns about Zend_Filter_Input

by Bill Karwin from Zend :: Rate this Message:

Some parts of this message have been removed. Learn more about Nabble's security policy.

Hi Ed,

Actually, the implementations of Zend_Filter and Zend_Filter_Input in earlier preview releases of Zend Framework have been _replaced_ by a much better object-oriented class design that provides similar functionality. It’s better because it also serves as an extensible framework for developers to implement custom filters and validators. And also, an application needs to load only the filters and validators that it needs, instead of a monolithic class that contains all filters and validators.

You can see the proposal that described this change here:

http://framework.zend.com/wiki/x/Wi8

You can see the documentation for the new Zend_Filter and Zend_Validate classes here:

http://framework.zend.com/manual/en/zend.filter.html

http://framework.zend.com/manual/en/zend.validate.html

Neither the old classes nor the new classes force the developer to access input data through filters. Usage of these classes is encouraged, but it is up to the developer to utilize them. Both in the old design and in the new design, it is possible to write PHP applications that access inputs such as superglobals directly, without the enforcement of any filtering.

The goal has always been to promote safe programming practices and reduce risks of security issues in application code, by providing classes that help developers filter out malicious content using a simple object-oriented API. But we don’t want to constrain developers to a single solution.

There is still more work to do, to make the process of filtering and validation even easier to use. We’ll enhance the solution in future versions of Zend Framework after 1.0. For example, we intend to design an easy-to-use component to apply filtering/validation logic against aggregations of web input data.

Regards,

Bill Karwin

From: Ed Finkler [mailto:coj@...]
Sent: Tuesday, March 13, 2007 10:32 AM
To: Zend FW Core List
Subject: [fw-core] Concerns about Zend_Filter_Input

I wrote up a short piece of code for the Zend DevZone last night, and sent it to Cal Evans. This code was a basic bootstrap file that utilized Zend_Filter_Input and the Zend::registry methods to provide much safer access to user input while getting around scoping issues. This morning, after Cal looked it over, he told me something I'd not realized (as it's not mentioned in the 0.8.0 changelog, and the docs are still present on the main FW site): that Zend_Filter_Input has been removed entirely from the ZFW.

Clearly I'm late to the party on this, so I want to ask a few questions before formulating a full opinion on the issue. The mailing list archives gave me some ideas about the issues involved, but not a clear breakdown of the what and why.

1) Why exactly was Zend_Filter_Input dropped completely? My impression is that it was because some components that needed access to the superglobals data were not designed to support Zend_Filter_Input, and that Zend_Filter_Input didn't yet support things like iterative access.

2) Will a similar replacement component, one that forces developers to access user input via a filtering API, be included in the 1.0RC?

Thanks in advance,

Ed Finkler

Web and Security Archive Administrator

CERIAS - Purdue University

http://www.cerias.purdue.edu/

v: 765.496.6762 f: 765.496.3181

AIM: funkatronwork

ICQ: 301234029

« Return to Thread: Concerns about Zend_Filter_Input