Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:102002 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74648 invoked from network); 27 Mar 2018 09:42:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Mar 2018 09:42:45 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:49274] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 32/3B-35998-E021ABA5 for ; Tue, 27 Mar 2018 04:42:41 -0500 Received: (qmail 26141 invoked by uid 89); 27 Mar 2018 09:42:34 -0000 Received: from unknown (HELO mail-it0-f42.google.com) (yohgaki@ohgaki.net@209.85.214.42) by 0 with ESMTPA; 27 Mar 2018 09:42:34 -0000 Received: by mail-it0-f42.google.com with SMTP id e98-v6so14452325itd.4 for ; Tue, 27 Mar 2018 02:42:32 -0700 (PDT) X-Gm-Message-State: AElRT7H6SiExL6jejB9PWxFlYf0ohCKRdFloIs2lszfAtcr37SAGolmA olZEzAf8olRv35YOPJmHo6MNO14XGtPY8VWqcg== X-Google-Smtp-Source: AIpwx4+UeUPGsAk8OpeiX+JMrTuGmX/TChEOzG493jvksHmNI8SFOdnd2cBBDdiUGe15ICWuzEdz28EEqO3D6RbJ0kg= X-Received: by 2002:a24:3042:: with SMTP id q63-v6mr7302664itq.48.1522143747108; Tue, 27 Mar 2018 02:42:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.151.162 with HTTP; Tue, 27 Mar 2018 02:41:46 -0700 (PDT) In-Reply-To: References: Date: Tue, 27 Mar 2018 18:41:46 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary="00000000000057f7e5056861b5c7" Subject: Re: A validator module for PHP7 From: yohgaki@ohgaki.net (Yasuo Ohgaki) --00000000000057f7e5056861b5c7 Content-Type: text/plain; charset="UTF-8" On Mon, Sep 4, 2017 at 3:33 PM, Yasuo Ohgaki wrote: > Hi all, > > I spent a little time for a new input validation module. It's not totally > new module, but is based on Filter module's validation filter improvement > RFC in many ways. [1] > > As all of us knew already, input validation is the most important practice > in secure coding. [2][3] Yet, we don't provide usable feature out of box. > Sadly, almost all apps do not have proper input validation at trust > boundary. Unless we improve filter's validation, we need usable basic > validator by default. IMO. > > Since I didn't get much feedbacks during the RFC discussion, I cannot tell > what part is disliked. I guess too much features in filter is one reason. > Another is messed up codes/features by providing both "filter" and > "validation". > > Validator for PHP7 (validate module) gets rid of unneeded features. It > only has features for basic PHP data type validations. Validation > rule(spec) array is flexible enough. Almost any types of inputs could be > handled by multiple and nested validation rules. > > Except some minor features like overflow checks, most planned features are > implemented. > > https://github.com/yohgaki/validate-php > > Although the code is based on filter module's code, it's almost full > rewrite except validation logic came from filter. Please consider this as > under development module. > Feedbacks are appreciated. > > Regards, > > [1] https://wiki.php.net/rfc/add_validate_functions_to_filter > [2] https://www.securecoding.cert.org/confluence/display/ > seccode/Top+10+Secure+Coding+Practices > [3] https://www.owasp.org/index.php/OWASP_Secure_Coding_ > Practices_-_Quick_Reference_Guide > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > I thought it would be nice to have PHP script version for Validate PHP. It a lot easier to modify API as needed. So I spend few hours last weekend. https://github.com/yohgaki/validate-php-scr Caution, I just wrote it and didn't debug it yet. However, it is good enough to play with, I suppose. API differs a little. This has more simplified parameter structure. Suggestions and comments are appreciated. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --00000000000057f7e5056861b5c7--