Few quotes related to the PHP language are as pithy and resoundingly accurate as the phrase: "Eval is evil." The reasons are myriad: the eval() function basically gives whatever code is passed to it unlimited control of the parser, and this freedom makes eval() both a temptation for developers, who may need to dynamically control PHP at runtime, and a panacea for hackers who are ever-searching for more servers to add to their botnets. So, how does one make use of the extreme power available through runtime evaulation of PHP, without exposing one's server to near-certain rooting? Through a sandbox.

His tool - PHPSandbox, uses the PHP-Parser library to deconstruct the PHP code its given and look for issues. He gives an example of a call to mail and how it would catch the issue. He shows how to install it via Composer, how to configure it with whitelisted methods/functions. It also includes a way to overwrite function calls with a bit safer alternative.

Valitron is a simple, minimal and elegant stand-alone PHP validation library with NO dependencies. Valitron uses simple, straightforward validation methods with a focus on readable and concise syntax.

He created the library because of frustration with other tools that had (sometimes major) dependencies on other packages. All he wanted was something lightweight and easy to use that was flexible about how it handled its validation rules. Valitron lets you apply a validation (like "required") against multiple fields in the provided data and includes checks for things like length, valid IP, active URL, alpha-numeric, date format and regular expression match. You can also add custom validation rules via a callback/closure.

Hello all from sunny Florida :) Recently discovered jquery validation plugin only 6 years too late, and have found some tools that work in conjunction with it, including Pajama, a PHP library. Also have some links to font combination articles and tools, and have recently been using "parallel deployment" in Tomcat 7.

The Pajama PHP library does "hybrid validation" and follows the rules of the jQuery validation plugin but for the server side. You can listen to this latest episode either through the in-page player or by downloading the mp3. You can also subscribe to their feed to get the latest shows.

Validation and sanitization are extremely important topics, any developer should be aware of. Especially with powerful, modern frameworks, people seem to forget about the underlying concepts and wrongly assume it's already solved somehow. Correctly used and early on integrated, both play the central role in defending against attacks on your application.

He talks a bit about why you should care about the topic, some of the common issues/threats that could come up because of it and some general information on what validation and sanitization are. He looks at implementation with the filter extension and touches on functionality from Symfony 2, Laravel 3, CakePHP 2 and shares his own data filtering module with examples of its use.

Since PHP 5.2 brought us the filter_var function, the time of such [regular expressions-based] monsters was over. [With] the simple, yet effective syntax [and] with a third parameter, filter flags can be passed, [...] 4 flags are available [for URL filtering].

He shows how to use it to filter out a simple XSS issue (a "script" tag in the URL) and some examples of issues that the filter_var function doesn't prevent - like injection of other schemes (like "php://" or "javascript://"). He recommends adding a wrapper around the method to check for the correct scheme (ex. "http" or "https" for URLs) and reminds you that filter_var is not multibyte capable.

In this Nettuts+ mini-series, we'll build a web application from scratch, while diving into a great new PHP framework that's rapidly picking up steam, called Laravel. In this lesson, we'll be learning about some very useful Laravel features: filters, and both the validation and files libraries.

They continue improving their sample application ("Instapics") and show you how to:

• Create a filter to run before or after the request is handled
• Apply a set of validation rules to a given dataset
• Handle custom error messaging
• Work with local files and uploads

They then take all of this and apply it to their application, creating an "auth" filter and login form, creating a form and doing some validation on its results and letting the user upload an image file.

Filter functions in PHP might not be sexy, but they can improve the stability, security, and even maintainability of your code if you learn how to use them correctly. In this article I'll explain why input validation is important, why using PHPs built-in functions for performing input validation is important, and then throw together some examples (namely using filter_input() and filter_var()), discuss some potential pitfalls, and finish with a nice, juicy call to action.

He talks about why validation is important to protect your application (and users) from malicious things like cross-site scripting. He emphasizes the use of PHP's own filter methods because they are established and, well, included in the language - no additional libraries needed. Example code is included showing how to use them to filter email addresses and check that something is an integer.

You can find out more about these functions on their manual pages: filter_input, filter_var.

As web developers, the applications you write are complex data processing engines. They try and convince your users to enter good, meaningful data and to respond in solid, predictable ways based on what was entered. Robust data validation will allow the rest of you application to work effectively. [...] Data is scrutinized in various ways to make sure that it adheres to basic restrictions and to fundamental properties. It's no good receiving a sandwich when you expect a car.

The questions he answers are:

• Why is Data Validation Important?
• Where Should I be Validating Data?
• When Should My Data Be Validated?
• Who is Responsible for Validation?
• How Do I Validate My Data? (yes, there's a "w" in there!)

In the real world data is ugly, crazy, and untrustworthy. Your only hope to taming the data beast is to diligently, methodically validate your data.

I am yet to write the last article of the Yii Session series. I just decided to write something about the scenarios in the Validation feature of Yii framework. Scenarios are a very useful tool for adding different validations rules for different cases on the same model. In a real life situation, you would require one validation rule for user registration but the same rule might not be applicable to the User login. Scenarios help you define validation rules for different situations within same model.

He shows you how to set up a "rules()" method in your model and a few validation configurations inside it - ensuring the password and email are set, checking the length of the password, etc. Then, by calling the "validate()" method on the model, you can easily apply these rules and check the pass/fail status.

So, when developing with symfony2, I rely on my tests. They are my safety net and without them, I get a little nervous after every change. Does everything work? Did I forget anything? So I developed some classes which I extend. They work on top of PHPUnit and the symfony2 WebTestCase. The classes are used by my different types of Tests: UnitTests, ValidationTests, FunctionalTests (as well as IntegrationTests).

Code for each type of testing base class is included in the post showing how he extends the based PHPUnit test case for unit testing and the Symfony WebTestCase for validation and functional testing. Each one of the classes are ready to use and give you some handy helper methods too.