Thoughts on ext/filter et al.

Kauft das PHP-Sicherheitsbuch!

Dritte Auflage

Jetzt bestellen!

ISBN-13: 978-3898643696
€ 36,00

Links

(Profil nur für Xing-Mitglieder sichtbar)
Rootserver, Colocation, Hosting
My amazon wishlist
VServer Hosting

Pages

Frontpage
About Christopher Kunz
Kontaktformular

Syndicate This Blog

Thursday, November 9. 2006

Yesterday morning, I went to see Ben Ramsey’s talk on filtering. Although it seemed that beer-induced sleep deprivation had taken its toll on Ben, he presented his audience with a couple of valuable insights. Basically, what he conveyed to me (and his blog entry supports this) was not to use ext/filter or Zend_Filter at all. Nearly every second slide regarding functions of the ZF component or the extension contained remarks like “This doesn’t work yet, it’s a TODO”, “this won’t validate XY properly” or - particularly hilarious - “this function validates phone numbers, but they have to be US ones”. Useful. I have, like, 0 US customers.

So basically, if I was getting Ben right, we have an extension enabled by default that is of very limited use whatsoever. Is that a good thing? I dunno.

Since I’m currently planning the second edition of my book “PHP-Sicherheit” (if you’re a US or UK publisher and want to publish a localized version, do contact me!), I was contemplating the thought of adding a couple of references to ext/filter in the various input filtering chapters. After Ben’s session, I am not sure anymore.
Will ext/filter get enough developer attention over the next 4 or 5 months so it can actually become universally usable?

Does it make sense to enable unfinished extensions by default?

Posted by Christopher Kunz at 13:20 | Comments (8) | Trackbacks (0)

Defined tags for this entry: extension, filter, php, security

Related entries by tags:

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

What are you talking about? The extension as input filtering is finished. Some features are missing (like more SAPI supported for JIT related superglobals, apache2 is in cvs, 5.2.x+).

As Ben Ramsey slides are not available, I have no idea what he means. But one thing is sure, to filter input data, the ext/filter extension is very good. If you like to have an overview, check out the manual and an article I wrote in devzone.zend.com.

Btw, Have you even tried it? I don’t remember having read any kind of comments from you on internals about its inclusion, API or features either but that’s expected

#1 Pierre (Homepage) on 2006-11-09 13:47 (Reply)

Thanks for the clarification. My stance on this is: I go to conference sessions to listen to what other people with potentially more time than myself have to say, so I don’t have to try everything out myself.

And if Ben gives a talk that is focused on filtering with ext/filter and Zend_filter and, during that talk tells his audience that this and that is broken, I tend to believe him. I have no reason not to, since after all, for this topic, he seems to be enough of an expert to get his talk accepted by the IPC board.

I tried ext/filter sometime last year (which was, of course, in a very early stage of development) and will try again in due time. However, Ben’s talk has put a dent into my motivation. Maybe he is to blame, maybe he overlooked stuff, or maybe he’s just plain correct. You tell me he isn’t, and I will try to check who’s right ASAP.

#1.1 Christopher Kunz on 2006-11-09 13:56 (Reply)

“during that talk tells his audience that this and that is broken, I tend to believe him.”

I saw only one bug report from him, which I closed after a fix and no answer to my feedback request. So if there is something broken, I wonder what and why he did not say a word on the list or in the bug report

“ I have no reason not to, since after all, for this topic, he seems to be enough of an expert to get his talk accepted by the IPC board.”

Joker

You need a name more than an expertise. And this is the problem, too many people are talking about things they did not really know or use before, stating things or making conclusions without real clues. It happens in conferences or in blogs (like here).

#1.1.1 Pierre (Homepage) on 2006-11-09 14:02 (Reply)

Pierre, I noticed at least two problems with the extension and my build of 5.2 when preparing for this talk. Once I get over the jet lag from returning home, I’ll file proper bug reports. In short, the code in my slides won’t work for the int validation filter or the regexp filter. The int filter works, but the min and max options have no effect. The regexp seems not to work at all, but the expression works fine with preg_match().

I began preparing the talk from the standpoint of how to filter data using either ext/filter or Zend_Filter_Input. Unfortunately, as I worked on the slides and example code and presented it to the audience, it became clear to me and the audience that both of these have a ways to go before they are helpful to users in production in both the US and abroad. Still, I think they are going in the right direction. I also have a feature request to submit for filter, and, by the way, to date, I have submitted 7 bug reports and 2 feature requests for the filter extension.

#1.1.1.1 Ben Ramsey (Homepage) on 2006-11-10 00:55 (Reply)

Unfortunately Ben’s slides are not around, but it’d certainly be nice to see what he claims is broken in ext/filter. It would be even nicer if he made bug reports to help developers identify the issues.

I cannot say anything about Zend_Filter, since I’ve never used it, let alone seen it’s code, but some of your comments are clearly about it. Since the ext/filter does not attempt to validate things like phone numbers at this time.

The extension offers about two dozen filters for common data types and formats and if the bug system is to believed there is only 1 outstanding bug with the functionality.

#2 Ilia Alshanetsky (Homepage) on 2006-11-09 18:47 (Reply)

The phone number thing is Zend_Filter:

switch ($country)
{
case ‘US’:
default:
throw new Zend_Filter_Exception(’isPhone() does not yet support this country.’);

(Filter.php)
As for ext/filter, it seems that
a) Ben might have used the wrong parameter order in his examples and
b) there are a couple of issues which I will start working on with some core guys as soon as I get around to.

#2.1 Christopher Kunz on 2006-11-09 19:33 (Reply)

Perhaps you can report those issues to filter developers so people can start looking a them right away?

#2.1.1 ilia Alshanetsky (Homepage) on 2006-11-09 20:16 (Reply)

The two “core” guys working on ext/filter have commented your post here and are ready to help you in your investigations or to undestand the extension

#3 Pierre (Homepage) on 2006-11-10 02:20 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry