Data filtering and validation using Inspekt


Most web security glitches are caused by insufficient input filtering and validation. Despite a large number of validation libraries being available, input sanitization is usually bypassed due to sheer laziness or the idea that your site is somehow immune from bad input data. Inspekt is one such library that has a small footprint and is very easy to integrate into your application.

The basic principle behind the library

Every data filtering/validation library hinges on three basic principles.

The first principle is of preventing users from accessing user input via the PHP superglobals, because the “default” action is to retrieve the raw, potentially dangerous data.

The second principle is preventing ad-hoc filtering/validation code at various places in the application which can be error-prone and difficult to modify.

The final principle is that of simplicity. A validation library should make a programmer’s job easier. Complex solutions should be avoided unless they are the only solution, as programmers tend to bypass intricate solutions citing various reasons for the same.

Installing Inspekt

Inspekt is easy to install. Just download the library and include the ‘Inspekt.php’ in your application with the correct path.

require_once('Inspekt.php');

Caging data

Take the following simple code using Inspekt. Here all the POST data is only made available through the ‘post_cage’ object, once it is initialized. The original POST data is immediately deleted preventing you from accidentally using data from the $_POST array. In short all the POST data is now safety ‘caged’ in the ‘post_cage’ object, which can only be accessed by using the various objects functions.

<?php
 
require_once('Inspekt.php');
 
if(isset($_POST['submit'])) 
{
    /* This will print the $_POST data */
    print_r($_POST);
 
    /* Store all the POST data in a 'cage', 
     * this will also automatically delete 
     * all the original POST data.
    */
    $post_cage = Inspekt::makePostCage();
 
    /* This will now return an empty array */
    print_r($_POST);
}
 
?>
 
<html>
<body>
<form id="myform" name="myform" method="POST">
<input type="hidden" name="fname" value="testString" />
<input type="hidden" name="id" value="500" />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>

Example 1.

Accessing ‘caged’ data

Now that we have seen how the POST data is safely stored in a ‘cage’, we will look at how to access and validate the data.

In the above example we have a ‘fname’ html field which we can access from the cage as following, which will print the string “testString”.

.
echo $post_cage->getRaw('fname');
.
.

But wait, what does this buy us, we are just using another object to access the same POST data in a different way. Well this is just one method, which just returns the raw data, the real value comes when we use validation and filtering methods.

Suppose we wanted to make sure that only alpha-numeric characters are allowed in the “fname” variable, we can use the following code which will return the value of the variable if the value is alpha-numeric or ‘false’ otherwise.

.
if($fname = $post_cage->testAlnum('fname')) {
   // Do something here if 'fname' is alphanumeric
}
.
.

Again let us say we have to check if the value of the ‘id’ field lies between 100 – 600, we can use the following:

.
if($post_cage->testBetween('id',100, 600))
{
     // value lies between 100 - 600, do something
}
.
.

Beside the above two, the following are some other useful methods:

* testAlnum (mixed $key)
* testAlpha (mixed $key)
* testBetween (mixed $key, mixed $min, mixed $max, [boolean $inc = TRUE])
* testCcnum (mixed $key, [mixed $type = NULL])
* testDate (mixed $key)
* testDigits (mixed $key)
* testEmail (mixed $key)
* testFloat (mixed $key)
* testGreaterThan (mixed $key, [mixed $min = NULL])
* testHex (mixed $key)
* testHostname (mixed $key, [integer $allow = ISPK_HOST_ALLOW_ALL])
* testInt (mixed $key)
* testIp (mixed $key)
* testLessThan (mixed $key, [mixed $max = NULL])
* testOneOf (mixed $key, [ $allowed = NULL])
* testPhone (mixed $key, [ $country = 'US'])
* testRegex (mixed $key, [mixed $pattern = NULL])
* testUri (unknown_type $key)
* testZip (mixed $key)

Caging other input data

In the above examples we have seen how to add the POST data to a ‘cage’ using the ‘Inspekt::makePostCage’ method. Likewise, we can also use other methods for other input types:

• Inspekt::makeGetCage()
Returns an Inspekt_Cage for the $_GET array

• Inspekt::makePostCage()
Returns an Inspekt_Cage for the $_POST array

• Inspekt::makeCookieCage()
Returns an Inspekt_Cage for the $_COOKIE array

• Inspekt::makeServerCage()
Returns an Inspekt_Cage for the $_SERVER array

• Inspekt::makeFilesCage()
Returns an Inspekt_Cage for the $_FILES array

• Inspekt::makeEnvCage()
Returns an Inspekt_Cage for the $_ENV array

So to ‘cage’ the $_GET data we can use the following:

$get_cage = Inspekt::makeGetCage();

Using the Super Cage

Using a different cage for each different input type can be cumbersome, for this we can use the ‘SuperCage’ method, which encapsulates all the above input data in a single object.

$super_cage = Inspekt::makeSuperCage();

Example 1. can be now be coded as below:

<?php
 
require_once('Inspekt.php');
 
if(isset($_POST['submit'])) 
{
    $super_cage = Inspekt::makeSuperCage();
 
    echo $super_cage->post->testAlnum ('fname') . " ";
    echo $super_cage->post->testBetween('id',220, 600);
}
 
?>
 
<html>
<body>
<form id="myform" name="myform" method="POST">
<input type="hidden" name="fname" value="testString" />
<input type="hidden" name="id" value="500" />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>

In conclusion

I find Inspekt a quite interesting validation/filtering library. Although the development seems to have stalled at Version 0.4.1, the code is complete and simple to use. This post has only covered a small portion of the library, for more information you can visit the original source.

This site is a digital habitat of Sameer Borate, a freelance web developer working in PHP, MySQL and WordPress. I also provide web scraping services, website design and development and integration of various Open Source API's. Contact me at metapix[at]gmail.com for any new project requirements and price quotes.

2 Responses

1

Karthik

March 31st, 2011 at 7:05 am

cool article.. very informative..

2

razvantim

April 2nd, 2011 at 1:36 am

nice article and simple validation library. I’ll give it a try

Your thoughts

Sign up for fresh content in your email