Don't Trust Your Users
Chris Tankersley
ZendCon 2014
2
Who Am I?
● A PHP Developer for 10 Years● Lots of projects no one uses, and a few some do
● https://github.com/dragonmantank
3
Everyone Loves a Story
http://northweststate.edu/about-nscc/
4
Programming is Just Acronyms
● DRY – Don't Repeat Yourself● KISS – Keep It Simple, Stupid● IPO – Input, Process, Output
5
GIGO – Garbage In, Garbage Out
6
Users Are a Nice Big Family
7
Some People Want To Watch The World Burn
8
We Love Contact Forms
9
Client Side Validation
10
HTML5 Validation
<input type="email" required>
<input type="text" pattern="\d{5}([\-]\d{4})?)">
11
Browsers Suck
http://caniuse.com/#search=required
12
Server Side is Necessary
http://cucher.iblogger.org/images/as400_family.jpg
13
Filtering vs Validation
14
Removes Unwanted 'Stuff'
15
Filtering changes things
https://www.flickr.com/photos/httpwwwflickrcompeoplenadar/3349883/sizes/l
16
Filtering changes things
17
Validation Judges Things
18
Most Libraries Do Both
19
PHP's Filter Module
20
Some Background
● Enabled by default since 5.2.0● Provides both Validation and Filtering● Very easy to use to work with data● Exposed via the 7 basic functions
21
Validation is Easy and Fun!
<?phpvar_dump(filter_var('755', FILTER_VALIDATE_INT));var_dump(filter_var('755.0', FILTER_VALIDATE_INT));
int(755)bool(false)
22
Basic Validation Out of the Box
23
We can clean up data as well
filter_var('ID 655', FILTER_SANITIZE_NUMBER_INT);
string(3) '655'
24
What can we clean up?
25
What can we clean up?
26
Manual Filters
function myFilter($string) {return substr($string, 5);
}
$output = filter_var('This is my test string', FILTER_CALLBACK, array('options' => 'myFilter',
)));
string(12) 'is my string'
27
Does big jobs as well
28
Aura.Filter
29
Easy To Use
30
Rule Types
● Soft Rules – Doesn’t Stop Validation Chain ● Hard Rules – Stop Validation Chain For This
Element● Stop Rules – Stop All Validation
31
Validation and Filtering
● RuleCollection::IS – Must match the rule● RuleCollection::IS_NOT – Must not match● RuleCollection::IS_BLANK_OR – Must be blank
or match● RuleCollection::FIX – Sanitize The Data● RuleCollection::FIX_IS_BLANK_OR – Fix if not
blank
32
Bundled Rules
● Alnum● Alpha● Between● Blank● Bool● Credit Card● DateTime● Email
● Equal To Field● Equal To Value● Float● In Array Keys● In Array
Values● Int● ipv4● Locale
● Max● Min● Regex● Strict Equals● String(length,
min,max)● Trim● Upload● Url
33
Custom Rules
● Extend Aura\Filter\AbstractRule● Implement validate() and sanitize()● Add to the Rule Locator
34
Check it out
https://github.com/auraphp/Aura.Filter
35
Use Your Framework's
36
Zend Framework 2
37
Zend\Validator
38
Zend\Validator
39
Zend\Validator
40
Model Validation
41
Symfony2 Validation
42
Symfony2 Validator
Read the docs - http://symfony.com/doc/current/book/validation.html
43
Symfony2 Validator
44
Use with Forms
45
Always Look First
46
One Last Thing
47
Validation is Hard
48
Questions?
Recommended
