Maarten Manders graciously took the time to review the Zend_Filter component of the Zend Framework. I think criticism and public discussion are healthy. Unfortunately, I don't have time to offer a very detailed response, but I'll try to remedy that with a followup post later in the week.
One thing worth noting is that Zend_Filter was extracted from Zend_InputFilter shortly before the preview release. Because it provides such a rigid approach to input filtering, some contributors pointed out that Zend_InputFilter does not provide enough flexibility for simple cases such as filtering an argument passed to a method. (Discussions have taken place on the mailing list about whether such granular error checking is beneficial.) To remedy this, I decided to separate the filtering methods from the input filtering framework that uses them.
Zend_Filter is far from impressive, in my opinion, because it's simply a library of static methods for filtering data. (I do think the naming convention is more consistent than alternatives.) Combined with Zend_InputFilter, however, it offers a much more structured approach to input filtering, and I think it's a big step in the right direction toward more secure PHP programming.
I should really explain Zend_InputFilter in more detail, but since I'm pressed for time, here are some quick responses to Maarten's specific comments:
- isGreaterThan() and isLessThan() are superfluous now.
- I'd love to see some suggestions (in the form of use cases) for a friendlier isDate(). :-)
- I'm not sure who wrote isHostname(), but refactoring it is near the top of my TODO list.
- Concerning the name for isRegex(), the is prefix is important for reasons of consistency, so perhaps isMatch()?
- isName() is a candidate for removal.
- isPhone() only supports US numbers, because it's a stub. This is one of the few methods where internationalization is going to affect the requirements substantially from one country to the next. It also brings up the question of where to draw the line.
- I have considered adding some escaping methods to Zend_Filter and Zend_InputFilter, but I hate to erode the distinction between filtering and escaping. I have much more to say about this, but it will have to wait.
I'd like to thank Maarten for taking the time to compose his thoughts and impressions, and I'd also like to thank everyone who has done the same on the mailing lists.