Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100385 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 23028 invoked from network); 5 Sep 2017 14:13:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Sep 2017 14:13:21 -0000 Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: lists@rhsoft.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:53729] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BA/E7-04538-FF0BEA95 for ; Tue, 05 Sep 2017 10:13:20 -0400 Received: from rh.thelounge.net (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3xmpbB6zLDzXMZ for ; Tue, 5 Sep 2017 16:13:10 +0200 (CEST) To: internals@lists.php.net References: <0C7F986C-B0BC-4315-98ED-B4FD003B9399@gmail.com> <2a4491b4-e6f5-4297-beec-363f373a93e6@lsces.co.uk> Message-ID: <3f8be7b1-0e59-21c6-4fe8-8299b2c05645@rhsoft.net> Date: Tue, 5 Sep 2017 16:13:10 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <2a4491b4-e6f5-4297-beec-363f373a93e6@lsces.co.uk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-CH Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] A validator module for PHP7 From: lists@rhsoft.net ("lists@rhsoft.net") Am 05.09.2017 um 15:44 schrieb Lester Caine: > On 05/09/17 14:08, lists@rhsoft.net wrote: >> the only question as applicaton developer is how you proceed in which cases >> >> * reject the whole request with a error-message >> * reset form-fields where you don't expect an array as input >> * reset from-fields with out-of-range input values >> >> here you go: >> https://en.wikipedia.org/wiki/Data_validation > > When the database layer provides a complete list of fields and > validation rules as part of it's meta data, it is integral to any GOOD > process your first error is thinking every input is related to databases at all > Copying all that data and manually creating filter rules is > just unnecessary work. In addition much of the VALIDATION is best done > at the browser end, and building that code is a lot easier when there is > a standard validation base across all of the layers! NO VALIDATION is best done in the browser end because no attacker ever will execute your clientside validation code or operate a browser at all > Rejecting crap from hackers that have no format matching the fields on > the browser page is something else and if the data set is corrupt then > yes you can simply skip out before doing anything with it! and that's what the whole topic is about