Most web security glitches are caused by insufficient input filtering and validation. Despite a large number of validation libraries being available, input sanitization is usually bypassed due to sheer laziness or the idea that your site is somehow immune from bad input data. Inspekt is one such library that has a small footprint and is very easy to integrate into your application.

He goes through the installation (a require_once) and a few examples of how to "cage" incoming data from a sample form with two hidden fields. He shows how to use the library to access the filtered versions of the values and how to run some tests on the data (like checks for alphanumeric, valid hostname, between two values, valid phone number, etc). He also briefly mentions "super cages" that can be used over and over.

Inspekt is a library for PHP4 and PHP5 that aims to make safe input handing easier, and unsafe actions more difficult. Inspekt establishes a new development approach by wrapping input within "cage" objects, and requiring the developer to use validation and filtering methods to test and manipulate the input data. This article provides a brief introduction to Inspekt and its capabilities.

The article covers all of the basics - what the library can do for you, how it integrates into your application and how it helps to protect you from potential problems with the data in your superglobals ($_GET, $_POST, $_REQUEST, etc).

I've uploaded the 0.3 release of Inspekt, the input filtering and validation library for PHP4 and 5. With this release, Inspekt completes the goals of the original specification for the OWASP SpoC007 project. I believe it is ready for "real-world" use.

Along with the new code being released there's also more documentation, API docs, a PEAR channel and a mailing list.

Everyone knows that you should filter your inputs most of the good programmers do it but when you are working with a large team of programmers on an open source project things slip up, errors do creep in, at times like this you wish for a mechanism which would prevent your team from making such mistakes, some thing which forces them to declare their intent.

One solution he mentions is the input_filter extension for PHP5, but this doesn't help most users since it's normally off by default and PHP5-only. The other solution, Inspekt, a modified version of the Zend_Filter_input component of the Zend Framework. An example is included and a list of filtering methods is too (like getAlnum, getDigits and getInt).

Although downloads have been on the Google Code site for a bit, I recently put up a new build of Inspekt. This could probably be described as a late alpha release, with most proposed features implemented.

Also included in this new edition are full API documentation for the application, some documentation on its basic usage and, of course, the source of this latest release.

I'm very, very excited to announce that OWASP has chosen to fund development of what I'm calling "Inspekt" as part of their OWASP Spring of Code 2007. You can read my full proposal at the OWASP SoC Application Page.

The idea behind Inspekt is to provide a comprehensive input filtering and validation library for PHP. Building upon Chris Shiflett's original Zend_Filter_Input implementation

Some of the new features of this library include retrieval and filtering support for multidimensional arrays, a variety of helper methods to reduce code verbosity, compatibility with PHP4 and PHP5, and will be entirely self-contained (yet easily "pluggable").

Check out his full proposal for more details on what direction the project's heading and some sample code to show how it might all work.