Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100519 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98607 invoked from network); 11 Sep 2017 10:42:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Sep 2017 10:42:37 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:43656] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B4/07-10715-A9866B95 for ; Mon, 11 Sep 2017 06:42:36 -0400 Received: (qmail 43606 invoked by uid 89); 11 Sep 2017 10:42:31 -0000 Received: from unknown (HELO mail-io0-f171.google.com) (yohgaki@ohgaki.net@209.85.223.171) by 0 with ESMTPA; 11 Sep 2017 10:42:31 -0000 Received: by mail-io0-f171.google.com with SMTP id v36so10378097ioi.1 for ; Mon, 11 Sep 2017 03:42:31 -0700 (PDT) X-Gm-Message-State: AHPjjUj1FiOxwfoxag4KZMtUufBMOWVz0JR/0mO3S5u/xITzu4KxOs5M Hh6NuSVI3wX7F/95RCtnHOA+EBXHiQ== X-Google-Smtp-Source: AOwi7QBu/c6R9p622AnDPCq2Wehuh78LwaYaynlIeFlhmNHd1gQMfOZmZEFZ9wNcAfbdC1OFQOwlUzAJORwVp3482G8= X-Received: by 10.107.174.216 with SMTP id n85mr14173697ioo.21.1505126545949; Mon, 11 Sep 2017 03:42:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.72.5 with HTTP; Mon, 11 Sep 2017 03:41:44 -0700 (PDT) In-Reply-To: <049578E9-4C9A-42D8-B206-8ABAF070E151@koalephant.com> References: <2a4491b4-e6f5-4297-beec-363f373a93e6@lsces.co.uk> <3f8be7b1-0e59-21c6-4fe8-8299b2c05645@rhsoft.net> <6ba62d62-f1ab-9e7b-93f0-a1a9238c47a6@lsces.co.uk> <0db9cfa3-2b31-ee41-713c-889b7cc06406@lsces.co.uk> <3C.DD.10715.4E501B95@pb1.pair.com> <93.85.10715.AB3B3B95@pb1.pair.com> <049578E9-4C9A-42D8-B206-8ABAF070E151@koalephant.com> Date: Mon, 11 Sep 2017 19:41:44 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Stephen Reay Cc: Tony Marston , "internals@lists.php.net" Content-Type: multipart/alternative; boundary="001a1143e8a21d0a4f0558e795e6" Subject: Re: [PHP-DEV] A validator module for PHP7 From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1143e8a21d0a4f0558e795e6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Stephen, On Mon, Sep 11, 2017 at 6:37 PM, Stephen Reay wrote: > On 11 Sep 2017, at 15:42, Yasuo Ohgaki wrote: > > It seems you haven't try to use filter module seriously. > It simply does not have enough feature for input validations. > e.g. You cannot validate "strings". > > > Yasuo, > > I=E2=80=99ve asked previously what your proposal actually offers over the= filter > functions, and got no response, so please elaborate on this? > > Can you show a concrete example that cannot be validated in user land > currently, using the filter functions as a base? > FILTER_VALIDATE_REGEXP is not good enough simply. PCRE is known that it is vulnerable to regex DoS still. (as well as Oniguruma) Users should avoid regex validation whenever it is possible also to avoid various risks. In addition, current filter module does not provide nested array validation array key validation, etc. It's not true validation neither. It does not provide simple length, min/max validations. It does non explicit conversions (i.e. trim), etc. Length, min/max validation is mandatory validation if you would like to follow ISO 27000 requirement. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1143e8a21d0a4f0558e795e6--