Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100384
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain lsces.co.uk designates 185.153.204.204 as permitted sender)
To: internals@lists.php.net
References: <CAGa2bXafM0QgMdCuUfEnNcejHAi208=4tCqbi1APT20Z_jcvuQ@mail.gmail.com>
 <EDA8C042-02B5-4DF9-9D15-176B1DE6587B@gmail.com>
 <CAGU04m+RtKkPkmzCzFjHvT=pHE9_tVzWuSd6umk2P1U-g8wy_Q@mail.gmail.com>
 <CADyq6s+QpHB2iPb=T=M2NL1aUTS=Uuf07WpQR5j26kFKDCxzpg@mail.gmail.com>
 <0C7F986C-B0BC-4315-98ED-B4FD003B9399@gmail.com>
 <CAGa2bXa-6kN1yEbnVzbReLX3qH2gVJ5LTmfR31jOp_GwASbrrA@mail.gmail.com>
 <e14c1e6f-4677-6a87-ef30-e3e627c26270@lsces.co.uk>
 <c08cbbf5-fb27-7c50-3bcc-c89ccfbd6202@rhsoft.net>
Message-ID: <2a4491b4-e6f5-4297-beec-363f373a93e6@lsces.co.uk>
Date: Tue, 5 Sep 2017 14:44:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <c08cbbf5-fb27-7c50-3bcc-c89ccfbd6202@rhsoft.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] A validator module for PHP7
From: lester@lsces.co.uk (Lester Caine)

On 05/09/17 14:08, lists@rhsoft.net wrote:
> 
> 
> Am 05.09.2017 um 13:36 schrieb Lester Caine:
>> On 05/09/17 12:18, Yasuo Ohgaki wrote:
>>> I cannot guess people's thought. I appreciated feedback!
>>
>> With a decent database layer a lot of the validation you are proposing
>> is already covered but PDO does not help in this area. Adding another
>> layer that does not integrate with a storage layer is just adding to the
>> current mess ...
> 
> sorry, but you confuse "input validation" which this topic is about with
> something different - input validation and reject bad requests belongs
> some layers on top of any storage and should be done as soon as possible
> 
> that should even happen long before you open a database connection at
> all because when you know the request is bad soon enough you won't talk
> to any database, filesystem or whatever storage layer at all
> 
> the only question as applicaton developer is how you proceed in which cases
> 
> * reject the whole request with a error-message
> * reset form-fields where you don't expect an array as input
> * reset from-fields with out-of-range input values
> 
> here you go:
> https://en.wikipedia.org/wiki/Data_validation

When the database layer provides a complete list of fields and
validation rules as part of it's meta data, it is integral to any GOOD
process. Copying all that data and manually creating filter rules is
just unnecessary work. In addition much of the VALIDATION is best done
at the browser end, and building that code is a lot easier when there is
a standard validation base across all of the layers!

Rejecting crap from hackers that have no format matching the fields on
the browser page is something else and if the data set is corrupt then
yes you can simply skip out before doing anything with it! But the
problem these days is when hackers try injecting things like SQL into
fields they think may be able to get through to the database. Provided
that the validation layer can properly filter that injection requires
knowledge that a string has reason to be rejected. Just as simply type
casting a number to integer or float is only doing a small part of the job.

Typing and validating a field by the metadata constraints has to be the
right way forward?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk