benedmunds / inspekt Goto Github PK

View Code? Open in Web Editor NEW

135.0 135.0 22.0 358 KB

Inspekt is a PHP library that makes it easier to write secure web applications

Home Page: http://inspekt.org

License: Other

PHP 100.00%

inspekt's People

Contributors

Stargazers

Watchers

Forkers

vladocar widox a-optic fentie msoftware lazylazycai hamiltonmascioli oglenaut chiehwen sachintaware dwestbrooks chrisspruck slashbunny agoudsmit mystica555 whitewizard619 apbiprogr alex-le ervso

inspekt's Issues

Ambiguous references to ../vendor/autoload.php

I'm curious where these references are actually pointing to..

Interestingly enough, I happen to have a 'vendor/autoload.php' from authorize.net sdk, but I somehow don't think this is what you're referring to?

html/inspekt/Examples# grep vendor *
config.php:require_once dirname(FILE) . "/../vendor/autoload.php";
db_escaping.php:require_once dirname(FILE) . "/../vendor/autoload.php";
extending.php:require_once dirname(FILE) . "/../vendor/autoload.php";
filter_array_cage.php:require_once dirname(FILE) . "/../vendor/autoload.php";
filter_form_input.php:require_once dirname(FILE) . "/../vendor/autoload.php";
filter_static_methods.php:require_once dirname(FILE) . "/../vendor/autoload.php";
filter_superglobals.php:require_once dirname(FILE) . "/../vendor/autoload.php";
formtest.php:require_once dirname(FILE) . "/../vendor/autoload.php";
get_or_post.php:require_once dirname(FILE) . "/../vendor/autoload.php";
htmlpurifier.php:require_once dirname(FILE) . "/../vendor/autoload.php";
iterate_cage.php:require_once dirname(FILE) . "/../vendor/autoload.php";
supercage.php:require_once dirname(FILE) . "/../vendor/autoload.php";
uri_tester.php:require_once dirname(FILE) . "/../vendor/autoload.php";

filter_superglobals.php example enhancement

As title, it looks like this example code looks strange when printing some messages via echo.

Here are the code snippets I mention:

......
echo 'Digits:' . $serverCage->getDigits('SERVER_SOFTWARE') . '<p/>';
echo 'Alpha:' . $serverCage->getAlpha('SERVER_SOFTWARE') . '<p/>';
echo 'Alnum:' . $serverCage->getAlnum('SERVER_SOFTWARE') . '<p/>';
echo 'Raw:' . $serverCage->getRaw('SERVER_SOFTWARE') . '<p/>';
......

And these code snippets should be changed into:

......
echo 'Digits:' . $serverCage->getDigits('SERVER_SOFTWARE') . '<br/>';
echo 'Alpha:' . $serverCage->getAlpha('SERVER_SOFTWARE') . '<br/>';
echo 'Alnum:' . $serverCage->getAlnum('SERVER_SOFTWARE') . '<br/>';
echo 'Raw:' . $serverCage->getRaw('SERVER_SOFTWARE') . '<br/>';
......

I think it means add end of line HTML tag when presenting the messages on the we page :).

Inspekt::isIp() should support ipv6

preeeeety much what it says.

inspekt.org is broken for me

Seems to be some kind of 301 redirect looping and an issue with the SSL certificate.

Different results using local and composer loaded Inspekt

When caging my own array and then checking an element of that array I get different result depending on whether I am using the version of Inspekt downloaded from github as opposed to the version from composer.

For example this works without errors:

<?php
    require_once('inc/Inspekt.php');

    $test = array();
    $test['params'][] = "hello";

    // cage the array
    $params_cage = Inspekt_Cage::Factory($test);
    $one = $params_cage->getAlnum('params/0');
    $two = $params_cage->getInt('params/1');
 ?>

However, if I run the following:

<?php
    require __DIR__ . '/vendor/autoload.php';

    // Inspekt initialisation
    use Inspekt\Inspekt;
    use Inspekt\Cage;

    $test = array();
    $test['params'][] = "hello";

    // cage the array
    $params_cage = Cage::Factory($test);
    $one = $params_cage->getAlnum('params/0');
    $two = $params_cage->getInt('params/1');
?>

Gives the following error:

Fatal error: Uncaught exception 'Inspekt\Exception' with message 'Key '1' does not exist' in /home/ubuntu/workspace/vendor/funkatron/inspekt/src/Inspekt/Cage.php:992 
Stack trace: #0 /home/ubuntu/workspace/vendor/funkatron/inspekt/src/Inspekt/Cage.php(985): Inspekt\Cage->getValueRecursive(Array, Object(ArrayObject), 1) 
#1 /home/ubuntu/workspace/vendor/funkatron/inspekt/src/Inspekt/Cage.php(954): Inspekt\Cage->getValueRecursive(Array, Object(ArrayObject)) 
#2 /home/ubuntu/workspace/vendor/funkatron/inspekt/src/Inspekt/Cage.php(394): Inspekt\Cage->getValue('params/1') 
#3 /home/ubuntu/workspace/it.php(15): Inspekt\Cage->getInt('params/1') 
#4 {main} thrown in /home/ubuntu/workspace/vendor/funkatron/inspekt/src/Inspekt/Cage.php on line 992

Given that you cannot check for null on a caged array (I don't think) this latter functionality makes caging of your arrays less useful.

no apparent way to test for numbers, letters, and spaces

trying to use inspekt in combination with a validator library to ensure security in form input.

use case is, input field is 'full name'. so, it fails testAlnum.

maybe needs a testNoTagsOrSpecial.

also, testEmail fails on some new TLDs.

keyExists, getInt and getRaw fail when value to get is equal to zero

I'm trying to validate a form using Inspekt. One of the fields I'm trying to validate is a select box with values such as -1, 0, 1, 2, etc. I have set -1 as my invalid case, and all other cases are valid. However, when trying to get the value of the select, it works for any value except 0, which makes all of the above mentioned methods to fail (i.e.: return false).

I found it weird, so I thought I would mention it here. Any ideas?

float validation failure with trailing Zero

Seems that strings with trailing Zero do not validate correctly

Inspekt::isFloat("1.60") === false
floatval() trims the trailing Zero
strval(1.6) !== "1.60"

isZip() Regex

The pattern for the isZip() method could be shortened to: /^\d{5}(?:-\d{4})?$/, ?: isn't strictly necessary.

Automatic Type Conversion

$_POST['b'] = '0';
$cage_POST = Inspekt::makePostCage();
var_dump( $cage_POST->testAlnum ('b') ) <--- this should be 0 but FALSE.

$_POST['b'] = '2009-12-25';
$cage_POST = Inspekt::makePostCage();
var_dump( $cage_POST->testGreaterThan ('b') , 25 ) <--- this should be FALSE but '2009-12-25'.

$_POST['b'] = '0';
$cage_POST = Inspekt::makePostCage();
var_dump( $cage_POST->testLessThan ('b') , 25 ) <--- this should be 0 but FALSE.

array_key_exists Problem with ArrayObject on PHP8

Using array_key_exists with Objects no longer works on PHP8.

I get this error: funkatron/inspekt/src/Inspekt/Cage.php(943) -- array_key_exists(): Argument #2 ($array) must be of type array, ArrayObject given

Can be resolved using:
return $exists = array_key_exists($key, (array) $this->source);
or
return $exists = property_exists($this->source, $key);

If you want i can create a PR with one of those changes.

Validating email subdomain, max 6 chars (Inspekt.php#L84)

Just a heads up really for isEmail($value):

The current list of subdomains (http://data.iana.org/TLD/tlds-alpha-by-domain.txt), many are over 6 chars in length.