Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:19992
Return-Path: <gamblergluck@yahoo.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 12273 invoked by uid 1010); 15 Nov 2005 00:45:26 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 12252 invoked from network); 15 Nov 2005 00:45:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Nov 2005 00:45:25 -0000
Received: from ([127.0.0.1:3588])
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with ECSTREAM
	id 79/0F-07637-5AF29734 for <internals@lists.php.net>; Mon, 14 Nov 2005 19:45:25 -0500
X-Host-Fingerprint: 69.209.186.37 adsl-69-209-186-37.dsl.sfldmi.ameritech.net  
Received: from ([69.209.186.37:7544] helo=localhost.localdomain)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id 5F/70-07637-9AB58734 for <internals@lists.php.net>; Mon, 14 Nov 2005 04:40:57 -0500
Message-ID: <5F.70.07637.9AB58734@pb1.pair.com>
To: internals@lists.php.net
Date: Mon, 14 Nov 2005 04:45:51 -0500
Reply-To: gamblergluck@yahoo.com
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
References: <84.9C.07637.EEB48734@pb1.pair.com> <6A.CC.07637.49C48734@pb1.pair.com>
In-Reply-To: <6A.CC.07637.49C48734@pb1.pair.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Posted-By: 69.209.186.37
Subject: Re: results of the PHP6 wishlists
From: gamblergluck@yahoo.com (Roman Ivanov)

wishlist> input filter extension (including some element of user control)

Will it be used _instead_ of $_POST and $_GET? Honestly, I'm not so sure 
it's a good idea to implement it like PECL extension does. Filtering 
individual variables is, in my opinion, a wrong way to treat user input.

The way I do it on my sites:

1) Call dispatcher parses request variables to find out what to do. This 
is done before request filtering.
2) System loads the filter that correspond to the target action.
3) If _any_ of the request variables are invalid, than system does not 
perform the action. Instead, it outputs message, stating which field was 
filled incorrectly.
4) If all variables are correct, than system makes an array of "clean" 
variable (i.e. only ones that were checked) and passes it to some function.

Simplified example:

$filter = array(
     'name'=>'/^[\w\d]+$/',
     'zip'=>'/^\d{5}$/',
     'phone'=>'/^\d{7,16}$/',
);
try {
     $input = filterInput($filter);
} catch (InvalidField $e) {
     echo $e;
     die();
}

Besides, is it really necessary to make input filtering a part of the 
language? It's a very high-level feature, and implementation may vary 
according to the needs of the developer. Plus, it's perfectly doable in 
pure PHP. In fact, I would go as far as removing session handling 
functions from the "core" language too. Such things would better fit a 
framework or CMS.

My two cents, anyway.