Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100392
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46591 invoked from network); 5 Sep 2017 18:55:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Sep 2017 18:55:13 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:52186] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C0/9B-04538-703FEA95 for <internals@lists.php.net>; Tue, 05 Sep 2017 14:55:06 -0400
Received: (qmail 89583 invoked by uid 89); 5 Sep 2017 18:54:59 -0000
Received: from unknown (HELO mail-it0-f42.google.com) (yohgaki@ohgaki.net@209.85.214.42)
  by 0 with ESMTPA; 5 Sep 2017 18:54:59 -0000
Received: by mail-it0-f42.google.com with SMTP id k189so4332870itk.0
        for <internals@lists.php.net>; Tue, 05 Sep 2017 11:54:59 -0700 (PDT)
X-Gm-Message-State: AHPjjUiIxaZ0a3C9rHZ9Y7vWHjNiPnXOo2XHSKjPkQBoz1abF/7M5ADJ
	ge0uxUEplAHEm0Pp4rC1Mm4s8JmMVg==
X-Google-Smtp-Source: ADKCNb7E3+XByJsQeamPWaLJtqU3Hxe5Eh8m64MtkZw06LZV1RlWqMqL/kd4TzECAy4q2UtwxL7hL7LcYeh8fUqHMus=
X-Received: by 10.36.2.136 with SMTP id 130mr145797itu.83.1504637693537; Tue,
 05 Sep 2017 11:54:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.72.5 with HTTP; Tue, 5 Sep 2017 11:54:12 -0700 (PDT)
In-Reply-To: <e14c1e6f-4677-6a87-ef30-e3e627c26270@lsces.co.uk>
References: <CAGa2bXafM0QgMdCuUfEnNcejHAi208=4tCqbi1APT20Z_jcvuQ@mail.gmail.com>
 <EDA8C042-02B5-4DF9-9D15-176B1DE6587B@gmail.com> <CAGU04m+RtKkPkmzCzFjHvT=pHE9_tVzWuSd6umk2P1U-g8wy_Q@mail.gmail.com>
 <CADyq6s+QpHB2iPb=T=M2NL1aUTS=Uuf07WpQR5j26kFKDCxzpg@mail.gmail.com>
 <0C7F986C-B0BC-4315-98ED-B4FD003B9399@gmail.com> <CAGa2bXa-6kN1yEbnVzbReLX3qH2gVJ5LTmfR31jOp_GwASbrrA@mail.gmail.com>
 <e14c1e6f-4677-6a87-ef30-e3e627c26270@lsces.co.uk>
Date: Wed, 6 Sep 2017 03:54:12 +0900
X-Gmail-Original-Message-ID: <CAGa2bXYVt0=OTn=z3nwsOJTexAzT6_1nH31PmPthKEe+379-Gw@mail.gmail.com>
Message-ID: <CAGa2bXYVt0=OTn=z3nwsOJTexAzT6_1nH31PmPthKEe+379-Gw@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a114478d63d36fc055875c31f"
Subject: Re: [PHP-DEV] A validator module for PHP7
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a114478d63d36fc055875c31f
Content-Type: text/plain; charset="UTF-8"

Hi Lester,

On Tue, Sep 5, 2017 at 8:36 PM, Lester Caine <lester@lsces.co.uk> wrote:

> On 05/09/17 12:18, Yasuo Ohgaki wrote:
> > I cannot guess people's thought. I appreciated feedback!
>
> With a decent database layer a lot of the validation you are proposing
> is already covered but PDO does not help in this area. Adding another
> layer that does not integrate with a storage layer is just adding to the
> current mess ...
>

I'm fun of multiple tier and multiple layer of protections.
For instance, Microsoft's SQL injection security page states as follows.

 - Never build Transact-SQL statements directly from user input; use stored
procedures to validate user input.

 - Validate user input by testing type, length, format, and range. Use the
Transact-SQL QUOTENAME() function to escape system names or the REPLACE()
function to escape any character in a string.

 - Implement multiple layers of validation in each tier of your application.

https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/writing-secure-dynamic-sql-in-sql-server

This is what secure coding practice recommends, too.
It may seem mess, but it's not. Outermost trust boundary that can be
controlled
is the most important trust boundary. For server side web app developers,
outermost
trust boundary is controller in MVC model. Input validations at model is a
bit too late
to mitigate risks involved with invalid(attacker) inputs.

Both model and controller layer Input validations (as well as in the
database, too) are
good/important to have.

There are one principle that developers are better to follow.
https://en.wikipedia.org/wiki/Fail-fast
If we follow this principle, validation at controller makes sense.

Regards,

P.S. For database administrators or web app developers who maintain
application
Models, outermost trust boundary is "database system" and "the Model layer"
respectively.
Outermost trust boundary is changed by what they can control.

This kind of discussion could result in mess. I hope I explained well
enough.

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a114478d63d36fc055875c31f--