Zend_Filter Reviewed, Blacklist / Whitelist Filters

I like Zend Framework‘s Zend_Filter class. It’s basically a set of methods for validating untrusted data. Although the two arguably most important features isEmail() and isUri() (the latter can be worked around with Zend_Uri) are still missing, the whole thing looks promising already. Here’s a few thoughts on the package:

  • Remove isGreaterThan() and isLessThan(). That’s what we have “” operators for. I can understand the designer’s intention to deliver a complete set of tests but these just bloat both Zend_Filter’s and the user’s code. There is no isEqualTo(), either.
  • isDate() looks like a stub. This should be replaced by something more sophisticated.
  • Clean up the code of isHostname().
  • The method name isRegex() makes me think that it checks whether the argument is a valid regular expression. Since pattern matching is a special way of filtering anyway, I’d just abandon the “is” prefix and call it match().
  • I don’t know if isName() works completely accurate on any exotic names. Besides, it can be easily left away as it’s a job for whitelist filtering. See below.
  • International support for isPhone(). I can deliver a Swiss implementation for it, just let me know. By the way, apply self::getDigits() on on the input instead of ctype_digit checking.
  • Let’s add three more class methods to Zend_Filter. The first one escapes a string for safe use in regular expressions:
  public static function getRegexEscaped($input) {   $output = '';   for($i = 0; $i  
  • The next one validates a string by a character whitelist:
  public static function getWhitelisted($input, $allowed_chars = '', $allow_alpha = true, $allow_numeric = true) {   $regex = '%[^'.($allow_alpha ? '[:alpha:]' : '').($allow_numeric ? 'd' : '').self::getRegexEscaped($allowed_chars).']%';   return preg_replace($regex, '', $input); } 
  • When there’s whitelisting, there should be blacklisting, too. On second thought, this should be implemented with str_replace() though.
  public function getBlacklisted($input, $forbidden_chars) {   $regex = '%['.self::getRegexEscaped($forbidden_chars).']%';   return preg_replace($regex, '', $input); } 

For example, we can use the more flexible whitelisting method instead of Zend_Filter::isName.

  /* We only allow letters, spaces and dashes in names */ $name = Zend_Filter::getWhitelisted($name, " -", true, false); 


Category: programming Time: 2006-03-28 Views: 1

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.123 (s). 12 q(s)