Maarten MandersMaarten Manders

Zend_Filter Reviewed, Blacklist / Whitelist Filters

Programming

Share this article

I like Zend Framework‘s Zend_Filter class. It’s basically a set of methods for validating untrusted data. Although the two arguably most important features isEmail() and isUri() (the latter can be worked around with Zend_Uri) are still missing, the whole thing looks promising already. Here’s a few thoughts on the package:

  • Remove isGreaterThan() and isLessThan(). That’s what we have “< ” and “>” operators for. I can understand the designer’s intention to deliver a complete set of tests but these just bloat both Zend_Filter’s and the user’s code. There is no isEqualTo(), either.
  • isDate() looks like a stub. This should be replaced by something more sophisticated.
  • Clean up the code of isHostname().
  • The method name isRegex() makes me think that it checks whether the argument is a valid regular expression. Since pattern matching is a special way of filtering anyway, I’d just abandon the “is” prefix and call it match().
  • I don’t know if isName() works completely accurate on any exotic names. Besides, it can be easily left away as it’s a job for whitelist filtering. See below.
  • International support for isPhone(). I can deliver a Swiss implementation for it, just let me know. By the way, apply self::getDigits() on on the input instead of ctype_digit checking.
  • Let’s add three more class methods to Zend_Filter. The first one escapes a string for safe use in regular expressions:

public static function getRegexEscaped($input) {
  $output = '';
  for($i = 0; $i < strlen($input); $i++) {
    $output .= 'x'.bin2hex($input{$i});
  }
  return $output;
}
  • The next one validates a string by a character whitelist:

public static function getWhitelisted($input, $allowed_chars = '', $allow_alpha = true, $allow_numeric = true) {
  $regex = '%[^'.($allow_alpha ? '[:alpha:]' : '').($allow_numeric ? 'd' : '').self::getRegexEscaped($allowed_chars).']%';
  return preg_replace($regex, '', $input);
}
  • When there’s whitelisting, there should be blacklisting, too. On second thought, this should be implemented with str_replace() though.

public function getBlacklisted($input, $forbidden_chars) {
  $regex = '%['.self::getRegexEscaped($forbidden_chars).']%';
  return preg_replace($regex, '', $input);
}

For example, we can use the more flexible whitelisting method instead of Zend_Filter::isName. 


/* We only allow letters, spaces and dashes in names */
$name = Zend_Filter::getWhitelisted($name, " -", true, false);
Maarten MandersMaarten Manders
View Author
Share this article
SitePoint Premium
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
SitePointStart Free Trial
Stuff we do
PremiumNewslettersLearning pathsLibraryForums
Contact
Contact usFAQPublish your book with usWrite an article with usAdvertise
About
Our storyCorporate membershipsTerms of usePrivacy policy
Connect
RSSFacebookInstagramTwitter (X)
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© 2000 – 2024 SitePoint Pty. Ltd.