Cphalcon: [NFR]: Exception on non existing filter

Created on 2 Jan 2020  路  5Comments  路  Source: phalcon/cphalcon

When sanitising with our filter service we don't get any notifications when the filter doesn't exists.
For example this will work:

$locator = new  Phalcon\Filter\FilterFactory();
$filter  = $locator->newInstance();
$filter->sanitize("filterMe", ['string', 'trim', 'nonexisting']);

For 4.1 or 5 I would like to throw an exception if the filter doesn't exists.
If we don't break SemVer I would to suggest to throw a notice or deprecated in 4.0.x when we call the sanitiser with a non existing filter.

4.1.0 documentation new feature request
Source
picture ruudboon
👍2

Most helpful comment

Resolved

picture niden on 23 Feb 2020
🎉2

All 5 comments

IMO, this should be a warning, not a notice or a deprecation. We're not plan to remove this functionality so we shouldn't deprecate it. We just plan to improve it. As for per notice - in production systems notices are usually disabled, so if we introduce just a notice, then far fewer users will be notified about future changes.

sergeyklay picture sergeyklay on 2 Jan 2020

@niden What do you think? Otherwise I will add this for 4.0.x

ruudboon picture ruudboon on 2 Jan 2020

I am not proposing we remove it - far from it. What I was saying is that right now, if you misspell a filter nothing happens - the value does not get sanitized.

If we introduce an exception for a filter that does not exist, then we are breaking semver since some applications will break due to typos. Hence why I mentioned that we might want to wait for a major release.

The trigger_error would allow us to introduce this earlier but it is not something I like doing personally. I am happy with either of the above.

niden picture niden on 3 Jan 2020

I agree that we break semver if start throwing exceptions now. So yes. Let's put this into 4.1 or 5.

From my point of view this is currently a security risk. You assume everything is sanitized but due to a typo or wrong defined filter you receive the value back unsanitized. That's why I think we should let the user know something.

My idea of using deprecated was to inform the user that sanitising with non existing filters will throw an exception in future versions. Sending a notice or warning would also work for me.

ruudboon picture ruudboon on 3 Jan 2020
👍1

Resolved

niden picture niden on 23 Feb 2020
🎉2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

FairPrice picture FairPrice  路  4Comments
masood09 picture masood09  路  4Comments
ruudboon picture ruudboon  路  3Comments
mynameisbogdan picture mynameisbogdan  路  3Comments
hailie-rei picture hailie-rei  路  3Comments