Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Sebastian de Deyne:
Normalize Your Values on Input
Mar 11, 2016 @ 11:55:58

In a post to his site Sebastian de Deyne makes the suggestion that you should normalize your values (input) as soon as possible.

Dynamic languages allow us to pass anything as a parameter without requiring a specific type. In turn, this means we often need to handle some extra validation for the data that comes in to our objects.

This is a lightweight post on handling your incoming values effectively by normalizing them as soon as possible. It's a simple guideline worth keeping in mind which will help you keep your code easier to reason about.

He gives an example of a HtmlClass object instance that can take in either a single string or an array of strings. With this structure he shows the complexity it would add for methods like toArray and toString. Instead he recommends normalizing the value in the constructor, making it an array if it's not already. The the code required in the rest of the class to use/translate it is much simpler.

tagged: normalize values input array string example tutorial

Link: https://sebastiandedeyne.com/posts/2016/normalize-your-values-on-input

SitePoint PHP Blog:
More Tips for Defensive Programming in PHP
Jan 25, 2016 @ 12:07:48

The SitePoint PHP blog has posted a tutorial continuing on from some previous advice with even more defensive programming practices you can use in your PHP applications.

Many people argue against defensive programming, but this is often because of the types of methods they have seen espoused by some as defensive programming. Defensive programming should not be viewed as a way to avoid test driven development or as a way to simply compensate for failures and move on. [...] What are these methods, if not ways to anticipate that your program may fail, and either prevent those, or else ways in which to handle those failures appropriately?

They go on to talk about the ideas of "failing fast" when errors happen in your application with an extra suggestion added on - "fail loud" too. The tutorial then looks at four different places where more defensive programming techniques can be applied (and how):

  • Input validation
  • Preventing Accidental Assignment in Comparisons
  • Dealing with Try/Catch and Exceptions
  • Transactions

They end with a recommendation that, while you should fail fast and loud when issues come up, be sure it's not to the determent of the overall user experience or sharing messages with users that may just confuse them.

tagged: tutorial series defensive programming tips failfast input validation assignment trycatch transaction

Link: http://www.sitepoint.com/more-tips-for-defensive-programming-in-php/

Derick Rethans:
Questions from the Field: Should I Escape My Input, And If So, How?
Jan 27, 2015 @ 09:22:04

In his latest post Derick Rethans shares his answer to a question he was asked at a recent PHP conference regarding the escaping of input before use in a MongoDB query.

At last weekend's PHP Benelux I gave a tutorial titled "From SQL to NoSQL". Large parts of the tutorial covered using MongoDB—how to use it from PHP, schema design, etc. I ran a little short of time, and since then I've been getting some questions. One of them being: "Should I escape my input, and if so, how?". Instead of trying to cram my answer in 140 characters on Twitter, I thought it'd be wise to reply with this blog post. The short answer is: yes, you do need to escape.

He uses the rest of the post to get into the longer answer, a bit more detail about why you should escape and what kinds of things can be done. He points out that, because of how MongoDB queries are created, SQL injection is much more difficult. He does remind you that superglobals can also be used to send arrays too which could lead to unexpected data input. He gives an example of how this would work and why it would be a problem.

So although MongoDB's query language does not require you to build strings, and hence "escape" input, it is required that you either make sure that the data is of the correct data type.
tagged: escape input mongodb phpbnl15 question answer datatype

Link: http://derickrethans.nl/escape-input.html

Hari KT:
Aura Input Form Inside Slim Framework
Sep 08, 2014 @ 10:55:13

Hari KT has a new post to his site today showing how you can integrate the Aura PHP components into a Slim framework application for input handling, like from a form. Aura PHP is a set of decoupled components for things like CLI handling, dependency injection and SQL requests (among others).

Rob Allen wrote about Integrating ZF2 forms into Slim. I did write how you can use Aura.Input and Aura.Html to create standalone form for PHP. This time I felt I should write about integrating aura input inside Slim.

He includes the Composer configuration to install the HTML and Input components as well as an up-to-date version of the Slim framework. Code showing how to create the form class (a "Contact form") is included, showing both the creation of the elements and the filtering/validation checks put on each. He shows how the Slim routes would handle the request as well as how the view processes the request and displays the form via a helper. You can get the full working code in this repository over on GitHub.

tagged: auraphp framework slim form input html tutorial

Link: http://harikt.com/blog/2014/09/02/aura-input-form-inside-slim-framework/

Greg Freeman:
Processing data with PHP using STDIN and Piping
Nov 18, 2013 @ 10:24:56

Greg Freeman has a post today looking at using streams and STDIN in PHP to handling incoming data (like to a CLI script).

PHP streams are still lacking in documentation and are rarely used compared to other PHP features. This is a shame because they can be really powerful and I have used them to gain a lot of performance when doing things such as processing log files. One of the more powerful features of Linux is the ability to pipe in data from another program, it’s often faster to offload tasks to an existing linux user space program than to do it in PHP and the added benefit is that you gain multi core processing which is not possible with standard PHP.

He talks briefly about the "pipe" character and how it allows you to send the output from one command to another. He shows how to mimic this same kind of input handling in PHP using the "php://stdin" stream and a fopen function call. He gets a bit more in-depth into how the streams work (blocking) and a bit of configuration and data you can get about the current streams. The post finishes with an example of a non-blocking input handler that will automatically end execution if no data is given within three seconds.

tagged: data process stdin input handling tutorial pipe

Link: http://www.gregfreeman.org/2013/processing-data-with-php-using-stdin-and-piping/

Paul Jones:
Aura Has New Releases: Input, Sql, and View
Sep 18, 2013 @ 09:58:54

As Paul Jones mentions in his most recent post (pulled from the Aura blog), the Aura framework has some new releases of its component packages - specifically Input, Sql and View.

On the heels of last week’s slew of releases, we have three followups! The Aura.Input package got a feature-level bump to 1.1.0, with a new FormFactory. Thanks to Hari KT for championing that one. Aura.Sql is now at 1.3.0, due to lots of work from MAXakaWIZARD to provide SQLite- and PostgreSQL-specific query objects. Finally, the Aura.View package got a bugfix and is now at 1.2.1; it handles content-type negotiation better for those times when there is no Accept header.

If you'd like more information about the Aura framework, check out the project site or each of the packages that make it up. Aura is a decoupled set of components without additional dependencies.

tagged: aura framework release input sql view component dependency

Link: http://paul-m-jones.com/archives/4731

David Müller:
Why URL validation with filter_var might not be a good idea
Sep 20, 2012 @ 08:09:31

David Müller has a new post to his site today showing why validating URLs with filter_var is a good thing for the security of your application.

Since PHP 5.2 brought us the filter_var function, the time of such [regular expressions-based] monsters was over. [With] the simple, yet effective syntax [and] with a third parameter, filter flags can be passed, [...] 4 flags are available [for URL filtering].

He shows how to use it to filter out a simple XSS issue (a "script" tag in the URL) and some examples of issues that the filter_var function doesn't prevent - like injection of other schemes (like "php://" or "javascript://"). He recommends adding a wrapper around the method to check for the correct scheme (ex. "http" or "https" for URLs) and reminds you that filter_var is not multibyte capable.

tagged: filtervar url validation security filter input


Input Validation Using Filter Functions
Jun 01, 2012 @ 15:53:28

On PHPMaster.com today there's a good tutorial that gives you some methods to do one of the most important things in any application - validating input. Their examples show how to use some of PHP's own filter functions to accomplish this.

Filter functions in PHP might not be sexy, but they can improve the stability, security, and even maintainability of your code if you learn how to use them correctly. In this article I’ll explain why input validation is important, why using PHPs built-in functions for performing input validation is important, and then throw together some examples (namely using filter_input() and filter_var()), discuss some potential pitfalls, and finish with a nice, juicy call to action.

He talks about why validation is important to protect your application (and users) from malicious things like cross-site scripting. He emphasizes the use of PHP's own filter methods because they are established and, well, included in the language - no additional libraries needed. Example code is included showing how to use them to filter email addresses and check that something is an integer.

You can find out more about these functions on their manual pages: filter_input, filter_var.

tagged: input validation filter tutorial bestpractice filtervar filterinput


Sanitizing Input with PHP
Dec 13, 2011 @ 11:49:31

DevShed.com has a new tutorial posted today looking at how to sanitize data in your application, specifically data coming from the user, when calling shell commands.

Neglecting to sanitize user input that may subsequently be passed to system-level functions could allow attackers to do massive internal damage to your information store and operating system, deface or delete Web files, and otherwise gain unrestricted access to your server. And that's only the beginning.

He starts with a "real world" example of non-filtered data that could pass through a "rm" command and erase your entire drive. He offers two solutions for preventing this sort of hack using the escapeshellcmd and escapeshellarg functions.

tagged: sanitize input shell command tutorial escapeshellcmd escapeshellarg


How do YOU sanitize input?
Nov 03, 2011 @ 11:04:02

On Reddit.com there's a recent post that asks the question How do YOU sanitize input in your PHP applications?

I am developing some software for my high school using HTML, CSS, MySQL, and most importantly PHP. [...] So I pose this question, what is YOUR favorite way to sanitize input for inserting, updating, or selecting from a database? Also, is there any way you prefer to verify that input is of a certain type, and only of that type ie, if you're expecting an int or a string, how would you make sure you are receiving one?

Answers on the post touch on things like:

tagged: input sanitize database filter opinion