Form validation is a tedious thing. In fact, it is so common and tedious, you might think that the form validation problem would have been solved a long time ago, and that now it’s a matter of dropping in a solution in a few lines. That’s not quite true.

Pox is designed so that the web designer can design the form in any way he wishes, with a simple way to mark up validation errors for developers. Coders are able to code up the form, validate it, and handle success or failure in one place. We ended up using Zend_Filter_Input, which pushes any data you give it through a set of specified validators and filters. With this, you can pass it the form input directly, and it would pass or fail the form data depending on the validators set up by the coder.

Here is the Pox Form class. You can read about its usage in the blog tutorial on the page about creating a blog.

Web security generally has one mantra:

Filter input, escape output.

We wanted security to be an integral part of forms. The idea was to force developers to think about filtering input, and to make it more inconvenient to make something insecure. The Inspekt library does this. If you give it data, it will destroy the original, and create a “cage” around the data. Then, the only way to access the data is via an Inspekt filter method. This encourages thinking about filtering all input, and not using unfiltered input (though that is still possible).

In the Form class, you can see that when a form passes, its input is given to Inspekt, destroying the original $_POST data. Then the Inspekt filters must be used to access the form data.