Very nice proposal and exactly what is needed in my opinion. I was working on sometime similar for my own use but then much simpler. Intended to suit my needs before an official component would be released. I implemented your solution already for my current application to see how it works

It works great and I really hope this proposal will be included in the version 1 release.

Because really this is what Zend Framework is really missing at the moment.

In some cases you will have a field that is not a requirement but if it is filled you want to validate it against a set of rules. But if the field is empty it should also give true on isValid().

Any plans to implement this ??

Something that is missing is the ability to determine which validator failed in the case of multiple validation rules. The programmer could then use that information to send back to the user a more informative error message.

For example:
If we use the code sample above where "month" has the validation rules: "digits" and "between 1-12" defined. If the data passed is "a", I'd like to know which validator failed validation ('digits', between').

There seems to be two solutions that stand out. One solution was in Zend_Form proposal where each validator would push onto an error array a key word related to the validator. Then that word was used as a key into an error messages array. Sticking with the same example, the validator would push 'digits' or 'between' onto the error array. More details are located here on the "error handling" tab:
http://framework.zend.com/wiki/pages/viewpage.action?pageId=3596

The other solution is to be able to set the error message when defining the validator array for the Zend_Filter_Input.

There are probably other solutions but something is needed.

Another area that hasn't been discussed is validation of multiple fields. For example, validating that a 'password' field and 'password_confirm' field are equivalent. Another common case would be the case of an optional address. In this case either all the fields are supplied (address, city, state, zip) or none.

I was curious:

"This component will return filtered and validated field values in escaped format using accessors."

Is it a good idea to use an escape function by default? I can understand setting a few default filters like trim(), but having a html-specific escaper as a default doesn't make much sense unless it's a conscious user choice.

We already have Zend_View knocking around with the exact same functionality in the output layer, and I don't see a need for this to appear once again in the least expected place - the input layer. Honestly, how many people are going to need escaped input in a Controller? Until it becomes output early escaping is only begging for users to become confused.

I still don't get it to be honest. It just seems wrong to be escaping input by default and forcing everyone to jump through hoops to get hold of the validated input in a format suitable for writing to a database, file, log, external web service or any other of a hundred different reasons for it being in a Controller - not a View.

I'm all for flexibility and adding safety nets but this one is running far outside it's range of a View, taking up the simple fluid interface with cumbersome getters, and requiring more decision making on when and where specific inputs were (or were not) escaped by my mad horde of web designers with minimal PHP skills. The poor souls...

The old implementation of Zend_Filter_Input actually overwrote values in $_GET and $_POST, so that you couldn't get them in non-escaped format at all. I thought that overwriting superglobal data was highly inappropriate, and it also broke Zend_Controller's usage of superglobals.

The old class didn't commit any escaping. Not here to argue the superglobal issue since it (unfortunately) plays havoc across the board even unto encapsulated applications.

Because Zend Framework is primarily designed for developing web applications, it's reasonable that the default escape filter is for HTML output.

...once it's identified as output, which is questionable until it's passed through the Controller and been assigned to a View (or explicitly outputted instead of View assignment). Before that determination is made, I have to fill my code with the horror of getUnescaped() references . Or override the behaviour when constructing the class. I just think it's a shame one has to do all those little upfront tweaks before getting the class to perform its sole responsibility - filtering/validating to clean input which awaits a context for further manipulation.

I have committed a significant update to the Zend_Filter_Input class in the incubator, and also unit tests and documentation.

Please update to revision 4776 and take a look!

One could also override the __get() method to point to the getUnescaped() function. That's really the only behaviour I don't agree with.

I'll probably spend the rest of my days bemoaning escaping being present in an input validate/filter chain but I can live with the class extending. I still think it's bizarrely inconsistent when there's two parts of the application with overlapping responsibilities.

I would think that it is a good feature that an unescaped value is retrieved with a "cumbersome" function call like getUnescaped() - so anyone reading your app code wakes up and says, "wow it's not escaped! I need to be careful with that value."

I'd prefer a cumbersome getRaw()/getUnvalidated() to a cumbersome getUnescaped() . Any plans to add such or is that being left completely to the Superglobals? I don't really object too much - I can always check the source code with a regex before battering the developers over the head for using superglobals in the wrong way or subclass something in...just as easily as I can check for any View references to $this/$view not followed somewhere in the fluid interface by "->escape(".

Now I just need to jam a translation object in somewhere and I'm in business...

Appreciate the work!!!

I have read through the documentation and I like what is being done. I think this is a valuable contribution to the framework. These fundimental components not only help to simplify and structure my code, but further my understanding of what should be included in a properly developed php application. Without Zend_Filter_Input, Zend_Filter and Zend_Validate make sense, but left me wondering how to structure them group or structure them in my code. Zend_Filter_Input seems to bring them together nicely while providing a simpler and more complete solution for reporting invalid data. I shall see if that is true as I try to impliment it.

I found the following typo in the documentation.

"1.1.3.2. Getting Valid Fields

All fields that are neither invalid, missing, nor unknown are considered valid. You can get values for valid fields a magic accessor."

Maybe you are missing 'using' or 'utilizing' before 'a magic accessor.' I'll leave that up to you. Otherwise it seemed good to me.

This class is never going to get off the ground until the developer is able to override the Zend_Validate_? default error message. I believe that this is a fundamental flaw in the Zend_Validate_? class and should be resolved. With the easiest and cleanest change adding a conditional parameter in the constructor.

It's also imparative that the developer be able to specify the "required" error message generated in Zend_Filter_Input.

Then there's the problem of validating multiple fields (password = password_confirm). What if we had a meta command 'multi' that would cause the Zend_Filter_Input to send the Zend_Validate_xxx the entire array of data to validate?

I'm throwing out ideas to try to get some discussion on this topic. I think it's pretty important to the framework.

Thoughts?

I don't think the current getMessage() errors could ever be used. The simple reason is that people want to control what their pages present to the end-user, and that rarely allows for a framework making such decisions. It has to be a String parameter when setting up a validation chain, mainly to allow for folk to pass a translated string as a parameter.

I'm actually not sure messages should be handled by the Rule classes, it seems like a ta