>I think your latter points are orthogonal to this. And that you are
>taking my advocacy for adding filtering to apply too literally to only
>the specific implementations in filter_input().
Firstly, I deliberately didn't say "the filter API isn't well designed", I said "designing a good validation API is hard". In particular, finding the balance between flexibility and simplicity is key.
Including a single blessed validation API in something as fundamental as a request object should take a lot of careful design, not be an afterthought to something like the current RFC.
I also talked specifically about moving away from the old assumptions of CGI. What does it mean to "filter" a JSON body? We could check it's valid JSON, but parsing it will reveal that anyway. We could automatically parse it in the request object, and have "filters" apply to individual elements; but where would the user supply parser options, and how would you specify nested elements?
Or we could keep it as a dumb string, and leave the validation to other systems, like a JSON Schema validator.
Even with a plain HTML form, you might be using a form builder and want to associate your validation with the form definition rather than having it baked into the request object.
>But given how much work it is get to an RFC over the line, it feels
>like decoupling would end up with a lot more work, lengthen the
>timeline to achieve base level functionality, and add uncertainty to
>whether it will even happen whereas handling the 20% now that we need
>80% of the time would mean the API would be mostly fully usable out of
Funny, I see the exact opposite: trying to build a single set of classes which include a system for getting global state AND a system for parsing it in different ways AND an in-built validation API seems like a mammoth task. And if you keep it monolithic, any feature you miss or make a mistake on is much harder to fix later.