LICENSE

Ben Edmunds benedmunds.com

Ed Finkler [email protected]

Version 0.6.3 2022-02-21

Inspekt is a comprehensive filtering and validation library for PHP.

• Accessing user input via the PHP superglobals is inherently dangerous, because the "default" action is to retrieve raw, potentially dangerous data
• Piecemeal, "inline" filtering/validation done at various places in an application's source code is too error-prone to be effective
• The purpose of a library or framework is to make a programmer's job easier. Verbose and/or complex solutions should be avoided unless they are the only solution

• 'Cage' objects that encapsulate input and require the developer to use the provided filtering and validation methods to access input data
• Automatic application of filtering as defined in a configuration file
• A library of static filtering and validation methods
• A simple, clear API
• No external dependencies

User Docs

API Docs

The best idea at the moment is to look at the Examples directory.

<?php
use Inspekt\Inspekt;

/*
 * creates a cage for $_GET, $_POST, $_COOKIE, $_ENV, $_FILES, $_SERVER
 */
$superCage = Inspekt::makeSuperCage();

echo 'Digits:' . $superCage->server->getDigits('SERVER_SOFTWARE') . '<p/>';
echo 'Alpha:' . $superCage->server->getAlpha('SERVER_SOFTWARE') . '<p/>';
echo 'Alnum:' . $superCage->server->getAlnum('SERVER_SOFTWARE') . '<p/>';
echo 'Raw:' . $superCage->server->getRaw('SERVER_SOFTWARE') . '<p/>';

<?php
/**
 * Demonstration of:
 * - use of static filter methods on arrays
 * - creating a cage on an arbitrary array
 * - accessing a deep key in a multidim array with the "Array Query" approach
 */


require_once dirname(__FILE__) . "/../vendor/autoload.php";

use Inspekt\Cage;

$d = array();
$d['input'] = '<img id="475">yes</img>';
$d['lowascii'] = '������� � � � ';
$d[] = array('foo', 'bar<br />', 'yes<P>', 1776);
$d['x']['woot'] = array(
    'booyah' => 'meet at the bar at 7:30 pm',
    'ultimate' => '<strong>hi there!</strong>',
);
$d['lemon'][][][][][][][][][][][][][][] = 'far';


$d_cage = Cage::Factory($d);

var_dump($d_cage->getAlpha('/x/woot/ultimate'));

var_dump($d_cage->getAlpha('lemon/0/0/0/0/0/0/0/0/0/0/0/0/0'));

$x = $d_cage->getAlpha('x');
var_dump($x);

$x = $d_cage->getAlpha('input');
var_dump($x);

<?php
require_once dirname(__FILE__) . "/../vendor/autoload.php";

use Inspekt\Inspekt;

$rs = Inspekt::isUri('http://www.w3.org/2001/XMLSchema');
var_dump($rs);

Install PHPUnit, cd to the root dir of Inspekt, and type

phpunit tests/

• Release to force a composer update

• Bug fix for array_key_exists using ArrayObject instead of Array

• Bug fix for isInt()

• Bug fix for isFloat()

• Backwards-compatibility breaks! Be aware! Read examples!
• removed CodeIgniter helper
• removed all session cage code
• refactor for PSR2 compliance, including namespaces (BC BREAK)
• drop mysql for mysqli escaping calls

• Added composer.json file

• Inspekt_Cage::keyExists now returns boolean again, unless second param is TRUE (then it returns the value if key exists)
• fixed a bunch of missing public/protected definitions
• renamed Inspekt_CageTest.php to CageTest.php so phpunit would load it correctly
• wrote a couple unit tests for Inspekt_Cage::testAlnum

• added new way to add cage accessor methods by extending AccessorAbstract and registering with cage object
• added Inspekt_Cage::addAccessor() and Inspekt_SuperCage::addAccessor()
• modified Examples/extending.php to demonstrate adding new accessor methods
• added HTMLPurifier integration capability and new cage filter getPurifiedHTML()
• added a library for CodeIgniter to use Inspekt in the standard Input object
• make Inspekt::isArrayObject() and Inspekt::isArrayOrArrayObject() public
• added __call() to Inspekt_Cage so we can handle user-defined accessor methods
• added underscore to path portion of isUri() (Nick Ramsay)
• added a new folder for Integration_helpers
• commented out include for Inspekt/Cage/Session in Cage.php because it caused probs generating Cage test skeleton
• made PHPUnit Inspekt_Cage test skeleton
• added simple example for a wrapper that will pull from GET or POST

• refactored and reworked some examples; added db escaping examples
• did some work to get isInt to handle 64 bit integers better (more to do)
• fixed bug in isOneOf where a string pattern wasn't converted properly
• removed some incorrectly optional params for methods
• isRegex now correctly returns a boolean, not an Int
• added missing cage methods getROT13, noTagsOrSpecial, escMySQL, escPgSQL, escPgSQLBytea
• added many more unit tests

• Added Inspekt::getROT13()
• Added Inspekt::escMySQL()
• Added Inspekt::escPgSQL()
• Added Inspekt::escPgSQLBytea()
• Now arrays are only converted to ArrayObjects by cages; arrays passed into static filter calls are returned as arrays.
• More unit tests, and tests moved into InspektTest.php (removed Tests/ subdir)
• cleanup in Inspekt_SuperCage to fix STRICT notices

• Caged properties can now be iterated over b/c we're implementing ArrayObject (Matt McKeon)
• added a number of @assert tests for phpunit testing
• cleaned up function declarations so they would not raise STRICT notices
• leveraged Filter Extention in a couple filter methods; can be turned off with Inspekt::useFilterExt()
• added filter method Inspekt::noTagsOrSpecial() that strips tags, encodes '"&<>, and all low ascii chars (< 32)
• upped recursion limit to 15
• Inspekt::_walkArray will now convert a plain array into an ArrayObject (should it always? Not sure)
• filter methods will now use Inspekt::isArrayOrArrayObject() to determine if they need to walk the array
• fixed some require_once statements to use dirname() resolution so fewer path issues pop up (they showed up when using phpunit)

PHP5 now required, bug fixes for transposed params

Disables processing of $_SESSION

Final OWASP milestone release

Initial Release