Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100520 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 13261 invoked from network); 11 Sep 2017 15:23:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Sep 2017 15:23:04 -0000 Authentication-Results: pb1.pair.com header.from=php-lists@koalephant.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=php-lists@koalephant.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain koalephant.com designates 206.123.115.54 as permitted sender) X-PHP-List-Original-Sender: php-lists@koalephant.com X-Host-Fingerprint: 206.123.115.54 mail1.25mail.st Received: from [206.123.115.54] ([206.123.115.54:53782] helo=mail1.25mail.st) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2E/18-10715-55AA6B95 for ; Mon, 11 Sep 2017 11:23:02 -0400 Received: from [10.0.1.15] (unknown [49.48.242.148]) by mail1.25mail.st (Postfix) with ESMTPSA id C28E2604F5; Mon, 11 Sep 2017 15:22:46 +0000 (UTC) Message-ID: <05A8DB1C-4683-4934-A7DA-C7CD71E6CCB6@koalephant.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_FA81043E-D4CA-4153-A1A5-5D3BCC1F84D4" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Mon, 11 Sep 2017 22:22:43 +0700 In-Reply-To: Cc: Tony Marston , "internals@lists.php.net" To: Yasuo Ohgaki References: <2a4491b4-e6f5-4297-beec-363f373a93e6@lsces.co.uk> <3f8be7b1-0e59-21c6-4fe8-8299b2c05645@rhsoft.net> <6ba62d62-f1ab-9e7b-93f0-a1a9238c47a6@lsces.co.uk> <0db9cfa3-2b31-ee41-713c-889b7cc06406@lsces.co.uk> <3C.DD.10715.4E501B95@pb1.pair.com> <93.85.10715.AB3B3B95@pb1.pair.com> <049578E9-4C9A-42D8-B206-8ABAF070E151@koalephant.com> X-Mailer: Apple Mail (2.3273) Subject: Re: [PHP-DEV] A validator module for PHP7 From: php-lists@koalephant.com (Stephen Reay) --Apple-Mail=_FA81043E-D4CA-4153-A1A5-5D3BCC1F84D4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 11 Sep 2017, at 17:41, Yasuo Ohgaki wrote: >=20 > Hi Stephen, >=20 > On Mon, Sep 11, 2017 at 6:37 PM, Stephen Reay = > > wrote: >=20 >> On 11 Sep 2017, at 15:42, Yasuo Ohgaki wrote: >>=20 >> It seems you haven't try to use filter module seriously. >> It simply does not have enough feature for input validations. >> e.g. You cannot validate "strings". >>=20 >>=20 >> Yasuo, >>=20 >> I=E2=80=99ve asked previously what your proposal actually offers over = the filter >> functions, and got no response, so please elaborate on this? >>=20 >=20 >=20 >> Can you show a concrete example that cannot be validated in user land >> currently, using the filter functions as a base? >>=20 >=20 > FILTER_VALIDATE_REGEXP is not good enough simply. > PCRE is known that it is vulnerable to regex DoS still. (as well as > Oniguruma) > Users should avoid regex validation whenever it is possible also to = avoid > various > risks. >=20 > In addition, current filter module does not provide nested array = validation > array key validation, etc. It's not true validation neither. It does = not > provide > simple length, min/max validations. It does non explicit conversions = (i.e. > trim), etc. > Length, min/max validation is mandatory validation if you would like = to > follow > ISO 27000 requirement. >=20 > Regards, >=20 > -- > Yasuo Ohgaki > yohgaki@ohgaki.net So, you still didn=E2=80=99t actually provide an example. I *guess* = you=E2=80=99re talking about character class validation or something = else equally =E2=80=9Csimple=E2=80=9D, because I can=E2=80=99t imagine = what else would be a common enough case that you=E2=80=99d want to have = built-in rules for, and that you wouldn=E2=80=99t internally use RegExp = to test anyway. Ok so we can=E2=80=99t use filter_var() rules to validate that a string = field is an Alpha or AlphaNum, between 4 and 8 characters long = (technically you could pass mb_strlen() to the INT filter with = {min,max}_range options set to get the length validation, but I=E2=80=99ll= grant you that *is* kind of a crappy workaround right now) Why not stop trying to re-invent every single feature already present in = PHP (yes, I=E2=80=99ve been paying attention to all your other = proposals), and just *add* the functionality that=E2=80=99s missing: A `FILTER_VALIDATE_STRING` filter, with =E2=80=9COptions=E2=80=9D of = `min` =3D> ?int, `max` =3D> ?int and =E2=80=9CFlags=E2=80=9D of = FILTER_FLAG_ALPHA, FILTER_FLAG_NUMERIC (possibly a built in bit mask = =E2=80=9CFILTER_FLAG_ALPHANUMERIC=E2=80=9D ?)=20 Lastly: it may not be the format you personally want, but the filter = extension *does* have the `filter_{input,var}_array` functions. Claiming = something doesn=E2=80=99t exist because it doesn=E2=80=99t work exactly = how you would like it to, makes you seem immature and petty, IMO. --Apple-Mail=_FA81043E-D4CA-4153-A1A5-5D3BCC1F84D4--