[Esapi-php] Issue 15 - HTTPUtilities missing getParameter

jah jah at jahboite.co.uk
Mon Sep 6 07:40:06 EDT 2010 

 On 25/08/2010 22:00, J K wrote:
> Hi List,
> I just committed code for the missing getParameter function for HTTPUtilities. Real life has been a little crazy lately, but I should have some more time to devote to the project now. This is my first time contributing to an OWASP project, so if someone could give the code (especially the tests) a quick look-over to make sure it's what you guys are looking for, it would be much appreciated.

Hello Jack,

We took the decision to depart from the Java ESAPI path with regard to Validator methods. It was Mike's contention that the various method names were confusing and so we ended up with:
private _assertValidXXXX - throws exception if input is not valid
public isValidXXXX - returns boolean

and getValidXXXX were all removed, as it was these that Mike considered confusing for developers.  There's a few discussions on this topic somewhere in this list, particularly the long thread at [1].

So with that in mind, getParameter ought to use the existing isValidInput Validator method rather than introducing getValidInput.  This means however that getParameter would no longer throw exceptions for invalid parameter values, but I don't think this is a problem.

So if you're up for making the following changes:

Revert any changes you made to Validator, DefaultValidator and ValidatorTest.
Change the call to getValidInput (in getParameter) to isValidInput

That would be great. Also, when copying code from ESAPI for Java, remember to double check the syntax - especially things like string concatenation operators.

Finally, I'm not sure what we can do to test the getParameter method at the moment since we don't have a request object that we can instantiate with arbitrary request params.  The comments for the constructor of SafeRequest include a couple of TODO items to extend the constructor to accept parameters which could be the way to go for testing purposes.

Best,

jah

[1] - https://lists.owasp.org/pipermail/esapi-php/2010-March/000661.html

More information about the Esapi-php mailing list