Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100364 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 5435 invoked from network); 4 Sep 2017 06:34:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Sep 2017 06:34:36 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:46660] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F3/B9-04538-9F3FCA95 for ; Mon, 04 Sep 2017 02:34:35 -0400 Received: (qmail 12661 invoked by uid 89); 4 Sep 2017 06:34:29 -0000 Received: from unknown (HELO mail-io0-f181.google.com) (yohgaki@ohgaki.net@209.85.223.181) by 0 with ESMTPA; 4 Sep 2017 06:34:29 -0000 Received: by mail-io0-f181.google.com with SMTP id i200so16692546ioa.1 for ; Sun, 03 Sep 2017 23:34:28 -0700 (PDT) X-Gm-Message-State: AHPjjUjK215n8DwtQ/lgM2/S75qVl6yoD/nhs1p6I9ZDzdRXBs7fyXbp b5grXTu2RJYlvE8dxR7tdrLldXBq7g== X-Google-Smtp-Source: ADKCNb6nitotvK9j7cuwXJ2hPFcD6bqpRa/o9zObTrDfMu2NZKil0ToqnLcU8/FPMWiy/1GWM6bd5mTcMJxFoH0uU0w= X-Received: by 10.107.187.67 with SMTP id l64mr8889824iof.131.1504506862428; Sun, 03 Sep 2017 23:34:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.72.5 with HTTP; Sun, 3 Sep 2017 23:33:41 -0700 (PDT) Date: Mon, 4 Sep 2017 15:33:41 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary="94eb2c07790618ed110558574d94" Subject: A validator module for PHP7 From: yohgaki@ohgaki.net (Yasuo Ohgaki) --94eb2c07790618ed110558574d94 Content-Type: text/plain; charset="UTF-8" Hi all, I spent a little time for a new input validation module. It's not totally new module, but is based on Filter module's validation filter improvement RFC in many ways. [1] As all of us knew already, input validation is the most important practice in secure coding. [2][3] Yet, we don't provide usable feature out of box. Sadly, almost all apps do not have proper input validation at trust boundary. Unless we improve filter's validation, we need usable basic validator by default. IMO. Since I didn't get much feedbacks during the RFC discussion, I cannot tell what part is disliked. I guess too much features in filter is one reason. Another is messed up codes/features by providing both "filter" and "validation". Validator for PHP7 (validate module) gets rid of unneeded features. It only has features for basic PHP data type validations. Validation rule(spec) array is flexible enough. Almost any types of inputs could be handled by multiple and nested validation rules. Except some minor features like overflow checks, most planned features are implemented. https://github.com/yohgaki/validate-php Although the code is based on filter module's code, it's almost full rewrite except validation logic came from filter. Please consider this as under development module. Feedbacks are appreciated. Regards, [1] https://wiki.php.net/rfc/add_validate_functions_to_filter [2] https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices [3] https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide -- Yasuo Ohgaki yohgaki@ohgaki.net --94eb2c07790618ed110558574d94--