Is it possible to force your PHP input variables to be strong typed
When I started off with PHP, I was really happy with how PHP was loosely typed and how easy it was to learn. But as I grew into it, I realized that being loosely typed actually complicated my scripts rather then simplifying them. And now I am looking for ways I could strong type my PHP variables, specifically the input variables ($_POST, $_GET, $_COOKIE, $_REQUEST and some $_SERVER vars).
Also, I would like my validation and sanitizing to be hidden away in this process so that I can "forget" about SQL Injection and many of the other error prone validation processes. I have a rough sketch of how I want this to be.
First I declare the variable. Preferably in OOP
$varClass->post->variable_name->type('STR', 'SQL', 'EMAIL'); // or as an array $_MY_POST['variable_name'] = array('STR', 'SQL', 'EMIAIL');
Now I could possibly just drop all undeclared variable from the predefined PHP GLOBALs and use the variable type to validate and sanitize them directly in the global arrays. I could also set the values of unvalidated variables like an emaill to bool false and un-submitted to null and use them during data validation. However, before I went off and re-invented the wheel I was hoping:
some one might direct me to a library which already helps solve my issues? if there were any reasons why I shouldn't pursue on this wild fantasy? Better and more clear ways of achieving this? and Other general thoughts you may have about this idea?
Wraps the superglobals per default, but you could also instantiate local objects with $postFilter = new input($_POST). It's supposed to be used manually like this:
And it complains if it sees any $_POST["raw"] access.
But you can also pre-define filter lists. I would do that centrally in the class-definition. This is supposed to be an add-on for old applications, where you don't want to manually go through the code and rewrite strings to enforce data formats or types:
var $__rules = array( "variable_name" => "email,sql", "order_id" => "int,range:0:500", "order_list" => "array,int", );
But I would personally avoid ->sql escaping prematurely. If available PDO and parameterized SQL should be used. But of course a central escaping feature is anyway better than cautiosness.
Also you can define custom filters. It picks up global functions for example.
PHP was loosely typed
No - its not loosely typed, it's dynamically typed - there's a subtle difference.
actually complicated my scripts rather then simplifying them
My experience is exactly the opposite.
I would like my validation and sanitizing...
Strong typing is not the way to deal with input validation, particularly over medium like HTTP (which is loosely typed). It's just not practical to have type validation for every possible input - sure you can store an email address in a string - but that does not mean the email address is formatted correctly, how do you ensure that a file is an image? How does strong typing ensure that the start date is before the end date?
While recent verions of PHP have filter functionality, I (and most people I know) have long been using my own input validation lib for atoms, and second-order validation (comparing the relative values of more than one input) needs custom code. The only time you should ever change the type of inputs is where there is no resulting data loss (e.g. string to number conversions - but you need to very that you've not lost data as a result). Declaring the expected type of the input var is no more difficult than declaring an actual type for a variable. If you can't create a valid representation of the input suitable for processing, then your code should never guess what the user meant - you need to reject the input and inform the user / calling procedure.
A lot of validation can be very contextual - e.g. 02/12/2010 in the UK is 10 months after the same date in the US.
If you really want PHP to behave as if its strongly typed, have a look at PHPLint
so that I can "forget" about SQL Injection
NO! You validate/sanitize inputs and you transform outputs according to where they are being output to! The right representation of a string for writing to HTML is different from writing it to a URL which is different from writing it to a database.