Data filtering and validation using Inspekt

Most web security glitches are caused by insufficient input filtering and validation. Despite a large number of validation libraries being available, input sanitization is usually bypassed due to sheer laziness or the idea that your site is somehow immune from bad input data. Inspekt is one such library that has a small footprint and is very easy to integrate into your application.

The basic principle behind the library

Every data filtering/validation library hinges on three basic principles.

The first principle is of preventing users from accessing user input via the PHP superglobals, because the “default” action is to retrieve the raw, potentially dangerous data.

The second principle is preventing ad-hoc filtering/validation code at various places in the application which can be error-prone and difficult to modify.

The final principle is that of simplicity. A validation library should make a programmer’s job easier. Complex solutions should be avoided unless they are the only solution, as programmers tend to bypass intricate solutions citing various reasons for the same.

Installing Inspekt

Inspekt is easy to install. Just download the library and include the ‘Inspekt.php’ in your application with the correct path.


Caging data

Take the following simple code using Inspekt. Here all the POST data is only made available through the ‘post_cage’ object, once it is initialized. The original POST data is immediately deleted preventing you from accidentally using data from the $_POST array. In short all the POST data is now safety ‘caged’ in the ‘post_cage’ object, which can only be accessed by using the various objects functions.

Example 1.

Accessing ‘caged’ data

Now that we have seen how the POST data is safely stored in a ‘cage’, we will look at how to access and validate the data.

In the above example we have a ‘fname’ html field which we can access from the cage as following, which will print the string “testString”.

echo $post_cage->getRaw('fname');

But wait, what does this buy us, we are just using another object to access the same POST data in a different way. Well this is just one method, which just returns the raw data, the real value comes when we use validation and filtering methods.

Suppose we wanted to make sure that only alpha-numeric characters are allowed in the “fname” variable, we can use the following code which will return the value of the variable if the value is alpha-numeric or ‘false’ otherwise.

if($fname = $post_cage->testAlnum('fname')) {
   // Do something here if 'fname' is alphanumeric

Again let us say we have to check if the value of the ‘id’ field lies between 100 – 600, we can use the following:

if($post_cage->testBetween('id',100, 600))
     // value lies between 100 - 600, do something

Beside the above two, the following are some other useful methods:

* testAlnum (mixed $key)
* testAlpha (mixed $key)
* testBetween (mixed $key, mixed $min, mixed $max, [boolean $inc = TRUE])
* testCcnum (mixed $key, [mixed $type = NULL])
* testDate (mixed $key)
* testDigits (mixed $key)
* testEmail (mixed $key)
* testFloat (mixed $key)
* testGreaterThan (mixed $key, [mixed $min = NULL])
* testHex (mixed $key)
* testHostname (mixed $key, [integer $allow = ISPK_HOST_ALLOW_ALL])
* testInt (mixed $key)
* testIp (mixed $key)
* testLessThan (mixed $key, [mixed $max = NULL])
* testOneOf (mixed $key, [ $allowed = NULL])
* testPhone (mixed $key, [ $country = ‘US’])
* testRegex (mixed $key, [mixed $pattern = NULL])
* testUri (unknown_type $key)
* testZip (mixed $key)

Caging other input data

In the above examples we have seen how to add the POST data to a ‘cage’ using the ‘Inspekt::makePostCage’ method. Likewise, we can also use other methods for other input types:

• Inspekt::makeGetCage()
Returns an Inspekt_Cage for the $_GET array

• Inspekt::makePostCage()
Returns an Inspekt_Cage for the $_POST array

• Inspekt::makeCookieCage()
Returns an Inspekt_Cage for the $_COOKIE array

• Inspekt::makeServerCage()
Returns an Inspekt_Cage for the $_SERVER array

• Inspekt::makeFilesCage()
Returns an Inspekt_Cage for the $_FILES array

• Inspekt::makeEnvCage()
Returns an Inspekt_Cage for the $_ENV array

So to ‘cage’ the $_GET data we can use the following:

$get_cage = Inspekt::makeGetCage();

Using the Super Cage

Using a different cage for each different input type can be cumbersome, for this we can use the ‘SuperCage’ method, which encapsulates all the above input data in a single object.

$super_cage = Inspekt::makeSuperCage();

Example 1. can be now be coded as below:

post->testAlnum ('fname') . " ";
    echo $super_cage->post->testBetween('id',220, 600);


In conclusion

I find Inspekt a quite interesting validation/filtering library. Although the development seems to have stalled at Version 0.4.1, the code is complete and simple to use. This post has only covered a small portion of the library, for more information you can visit the original source.

2 thoughts to “Data filtering and validation using Inspekt”

Comments are closed.