A validator checks if the characters of a given source are within a safe character set. Otherwise, the data is rejected.
For example, the PHP built-in function is_numeric() returns true if only numerical values are present and are thus safe to use in a sensitive sink. Other examples for validation mechanisms include a whitelist check against an array (in_array()) or against a regular expression (preg_match()). PHP is shipped with a variety of built-in validation functions that are automatically detected by RIPS.
In case a validator was not identified correctly during analysis or in case the validator is not defined within the analyzed code, additional validators can be configured in this section. For each function or method that returns true for validated data, please specify the number of the validated parameter (starting with "1") and the validated characters. Based on the specified characters, RIPS then decides against which vulnerability types the data is safe. Please refer to the code examples for further details.
Adding a PHP method as validator