Disscusion: Using native php filter_var functions instead of regex

yiisoft / validator

Yii validator library

https://www.yiiframework.com/

BSD 3-Clause "New" or "Revised" License

110 stars 36 forks source link

Disscusion: Using native php filter_var functions instead of regex #629

Closed Gerych1984 closed 7 months ago

Gerych1984 commented 8 months ago

Good day. I have a question that has been lingering since version 2 - why url/email/numeric validators use own regulars instead of native functions? It seems that their built in functionality is enough to cover the validator's needs. Thanks

samdark commented 8 months ago

Could be. Likely that's because native functions are too strict but I don't remember the reason for regex.

vjik commented 7 months ago

Because native functions work incorrectly in same edge cases.

For example:

$value = '"attacker\"\ -oQ/tmp/\ -X/var/www/cache/phpcode.php"@email.com';
filter_var($value, FILTER_VALIDATE_EMAIL) !== false; // Valid, but really it's invalid.

$value = '020';
filter_var($value, FILTER_VALIDATE_INT) !== false; // Invalid, but really it's correct integer number.

$value = 'http://example.com:?test';
filter_var($value, FILTER_VALIDATE_URL) !== false; // Valid, but really it's invalid.