Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100386 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32816 invoked from network); 5 Sep 2017 16:57:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Sep 2017 16:57:17 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain lsces.co.uk designates 185.153.204.204 as permitted sender) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 185.153.204.204 mail4.serversure.net Linux 2.6 Received: from [185.153.204.204] ([185.153.204.204:36263] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 89/29-04538-A67DEA95 for ; Tue, 05 Sep 2017 12:57:14 -0400 Received: (qmail 11471 invoked by uid 89); 5 Sep 2017 16:57:11 -0000 Received: by simscan 1.3.1 ppid: 11464, pid: 11467, t: 0.0439s scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677 Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136) by mail4.serversure.net with ESMTPA; 5 Sep 2017 16:57:11 -0000 To: internals@lists.php.net References: <0C7F986C-B0BC-4315-98ED-B4FD003B9399@gmail.com> <2a4491b4-e6f5-4297-beec-363f373a93e6@lsces.co.uk> <3f8be7b1-0e59-21c6-4fe8-8299b2c05645@rhsoft.net> Message-ID: <6ba62d62-f1ab-9e7b-93f0-a1a9238c47a6@lsces.co.uk> Date: Tue, 5 Sep 2017 17:57:11 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <3f8be7b1-0e59-21c6-4fe8-8299b2c05645@rhsoft.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] A validator module for PHP7 From: lester@lsces.co.uk (Lester Caine) On 05/09/17 15:13, lists@rhsoft.net wrote: > your first error is thinking every input is related to databases at all So we end up with different code for different types of input? An array that will work directly into a database save or some other follow on process without having to think about where the input comes from has to be the right way ... >> Copying all that data and manually creating filter rules is >> just unnecessary work. In addition much of the VALIDATION is best done >> at the browser end, and building that code is a lot easier when there is >> a standard validation base across all of the layers! > > NO VALIDATION is best done in the browser end because no attacker ever > will execute your client side validation code or operate a browser at all Again ... write different code for each area of checking? My clients are complaining that the browser is not doing as good a job as it could checking things that it CAN check before passing it back to the server. YES the server needs to cross check no bugger has bypassed the browser checks but if the set of data is EXPECTED to have a clean format, then any corruption can be tagged as a failure, because we have standard rules on what we are passing. >> Rejecting crap from hackers that have no format matching the fields on >> the browser page is something else and if the data set is corrupt then >> yes you can simply skip out before doing anything with it! > > and that's what the whole topic is about But not at the cost of writing different sets of code to play to each area where checking SHOULD be done. Stick to a single standard method of defining the metadata and that already exists in the database layer. That was what the topic was all about 15 years ago and nothing much has changed since ... and annotating that data in the code ... -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk