Ben Edmunds benedmunds.com
Ed Finkler coj@funkatron.com
Version 0.6.3 2022-02-21
Inspekt is a comprehensive filtering and validation library for PHP.
- Accessing user input via the PHP superglobals is inherently dangerous, because the "default" action is to retrieve raw, potentially dangerous data
- Piecemeal, "inline" filtering/validation done at various places in an application's source code is too error-prone to be effective
- The purpose of a library or framework is to make a programmer's job easier. Verbose and/or complex solutions should be avoided unless they are the only solution
- 'Cage' objects that encapsulate input and require the developer to use the provided filtering and validation methods to access input data
- Automatic application of filtering as defined in a configuration file
- A library of static filtering and validation methods
- A simple, clear API
- No external dependencies
The best idea at the moment is to look at the Examples
directory.
<?php
use Inspekt\Inspekt;
/*
* creates a cage for $_GET, $_POST, $_COOKIE, $_ENV, $_FILES, $_SERVER
*/
$superCage = Inspekt::makeSuperCage();
echo 'Digits:' . $superCage->server->getDigits('SERVER_SOFTWARE') . '<p/>';
echo 'Alpha:' . $superCage->server->getAlpha('SERVER_SOFTWARE') . '<p/>';
echo 'Alnum:' . $superCage->server->getAlnum('SERVER_SOFTWARE') . '<p/>';
echo 'Raw:' . $superCage->server->getRaw('SERVER_SOFTWARE') . '<p/>';
<?php
/**
* Demonstration of:
* - use of static filter methods on arrays
* - creating a cage on an arbitrary array
* - accessing a deep key in a multidim array with the "Array Query" approach
*/
require_once dirname(__FILE__) . "/../vendor/autoload.php";
use Inspekt\Cage;
$d = array();
$d['input'] = '<img id="475">yes</img>';
$d['lowascii'] = '������� � � � ';
$d[] = array('foo', 'bar<br />', 'yes<P>', 1776);
$d['x']['woot'] = array(
'booyah' => 'meet at the bar at 7:30 pm',
'ultimate' => '<strong>hi there!</strong>',
);
$d['lemon'][][][][][][][][][][][][][][] = 'far';
$d_cage = Cage::Factory($d);
var_dump($d_cage->getAlpha('/x/woot/ultimate'));
var_dump($d_cage->getAlpha('lemon/0/0/0/0/0/0/0/0/0/0/0/0/0'));
$x = $d_cage->getAlpha('x');
var_dump($x);
$x = $d_cage->getAlpha('input');
var_dump($x);
<?php
require_once dirname(__FILE__) . "/../vendor/autoload.php";
use Inspekt\Inspekt;
$rs = Inspekt::isUri('http://www.w3.org/2001/XMLSchema');
var_dump($rs);
Install PHPUnit, cd to the root dir of Inspekt, and type
phpunit tests/
- Release to force a composer update
- Bug fix for array_key_exists using ArrayObject instead of Array
- Bug fix for isInt()
- Bug fix for isFloat()
- Backwards-compatibility breaks! Be aware! Read examples!
- removed CodeIgniter helper
- removed all session cage code
- refactor for PSR2 compliance, including namespaces (BC BREAK)
- drop mysql for mysqli escaping calls
- Added composer.json file
- Inspekt_Cage::keyExists now returns boolean again, unless second param is TRUE (then it returns the value if key exists)
- fixed a bunch of missing public/protected definitions
- renamed Inspekt_CageTest.php to CageTest.php so phpunit would load it correctly
- wrote a couple unit tests for Inspekt_Cage::testAlnum
- added new way to add cage accessor methods by extending
AccessorAbstract
and registering with cage object - added
Inspekt_Cage::addAccessor()
andInspekt_SuperCage::addAccessor()
- modified
Examples/extending.php
to demonstrate adding new accessor methods - added
HTMLPurifier
integration capability and new cage filtergetPurifiedHTML()
- added a library for CodeIgniter to use
Inspekt
in the standard Input object - make
Inspekt::isArrayObject()
andInspekt::isArrayOrArrayObject()
public - added
__call()
to Inspekt_Cage so we can handle user-defined accessor methods - added underscore to path portion of
isUri()
(Nick Ramsay) - added a new folder for
Integration_helpers
- commented out include for
Inspekt/Cage/Session
inCage.php
because it caused probs generating Cage test skeleton - made PHPUnit
Inspekt_Cage
test skeleton - added simple example for a wrapper that will pull from
GET
orPOST
- refactored and reworked some examples; added db escaping examples
- did some work to get isInt to handle 64 bit integers better (more to do)
- fixed bug in
isOneOf
where a string pattern wasn't converted properly - removed some incorrectly optional params for methods
- isRegex now correctly returns a boolean, not an Int
- added missing cage methods
getROT13
,noTagsOrSpecial
,escMySQL
,escPgSQL
,escPgSQLBytea
- added many more unit tests
- Added
Inspekt::getROT13()
- Added
Inspekt::escMySQL()
- Added
Inspekt::escPgSQL()
- Added
Inspekt::escPgSQLBytea()
- Now arrays are only converted to
ArrayObjects
by cages; arrays passed into static filter calls are returned as arrays. - More unit tests, and tests moved into
InspektTest.php
(removed Tests/ subdir) - cleanup in
Inspekt_SuperCage
to fixSTRICT
notices
- Caged properties can now be iterated over b/c we're implementing
ArrayObject
(Matt McKeon) - added a number of @assert tests for phpunit testing
- cleaned up function declarations so they would not raise STRICT notices
- leveraged Filter Extention in a couple filter methods; can be turned off with
Inspekt::useFilterExt()
- added filter method Inspekt::noTagsOrSpecial() that strips tags, encodes
'"&<>
, and all low ascii chars (< 32) - upped recursion limit to 15
Inspekt::_walkArray
will now convert a plain array into an ArrayObject (should it always? Not sure)- filter methods will now use
Inspekt::isArrayOrArrayObject()
to determine if they need to walk the array - fixed some require_once statements to use
dirname()
resolution so fewer path issues pop up (they showed up when using phpunit)
PHP5 now required, bug fixes for transposed params
Disables processing of $_SESSION
Final OWASP milestone release
Initial Release