Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118761 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 75738 invoked from network); 5 Oct 2022 21:36:12 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 5 Oct 2022 21:36:12 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A61201804AB for ; Wed, 5 Oct 2022 14:36:11 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 5 Oct 2022 14:36:11 -0700 (PDT) Received: by mail-wm1-f47.google.com with SMTP id y23-20020a1c4b17000000b003bd336914f9so1723473wma.4 for ; Wed, 05 Oct 2022 14:36:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Vl4cmGwqF4Ck809aeiBOEtYyEW5mYveFZBS+G+Ab5RU=; b=QCVBolRm/B1ELfPfbq0bWm2kme68XJnlVxvht3eLoJyc9GU5y5lqJIBD4j8lRsHJzF hHfr+PLZGfx1YZBYAZijxs1bUzVUU5aoMRtHC4OnCXFyCRRd2G2xm2xhPbZhnrvqbo/l ffkC1vhPnDynwCAhZNA16EMYSX76i0iuA5P1ttI22T+RrG1y4OmfyWV21J+LiarZ7VFi vCvJ5r8aJY8GZIm8WuLWwpGy2GWJfqmckaggXz+764h5UCcVmjGGqhow8MH9hBp7j9W4 k1ggYIh+Jf7cblYPCKeLveQvHjWuy7GvwtCZXtczlQYu65KS3dyYpU+VWbl6MsQoYTHZ +iNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Vl4cmGwqF4Ck809aeiBOEtYyEW5mYveFZBS+G+Ab5RU=; b=UWaz3SK71iEzwKiDAtR7aUvfj1II1IyxNCKwRVbkvU/imX3iNYl2Ko5DcqyeIoiKsj ko5p41dtuA83NSpSMnkSQ4cPs4QVB8pJBypHRKpwnppKoCBEd+a/rvcu1EEa4NVyrTiD smQdOrLXQ/my3KJQkqf2EAzgTjBK1FYpk0ixPEDoDcipNaQVrYT0Fx0KspyNQ4FSJugX repgGsITml7vp5J3hwqlSK+xLW66LoFJmATEJSYCOuUhgkWUenSGy2Y7giBrrZ9j0RAw mlqKMUCW0c2uk6jZtvezMVNnU8F5By8jdeTRgvw+B9sIqC8/9rxJBqArll3qPwtAgHI2 3mIg== X-Gm-Message-State: ACrzQf0F+2o3kJmqZy1PTx+PNppoqOBmJZQQu1CowHl0zDkuFSYfhnZ0 GtbWgw2JOmuxECw0MQsQ3hpZEFQF8Ize/pcB1FzCcOHMI44= X-Google-Smtp-Source: AMsMyM416WYb3skwdmNZECVxMPIH0OGsFDPZap15WFzLP6SnJKqjGTPL2GUtOHkYFWkNJ72db4yqYbgcaVc0a8O/gRE= X-Received: by 2002:a7b:c00d:0:b0:3b4:6331:2fc5 with SMTP id c13-20020a7bc00d000000b003b463312fc5mr4508679wmb.11.1665005769801; Wed, 05 Oct 2022 14:36:09 -0700 (PDT) MIME-Version: 1.0 References: <0cfb9a7b-1168-42ef-ae1a-bdc72210de43@app.fastmail.com> In-Reply-To: Date: Wed, 5 Oct 2022 22:35:58 +0100 Message-ID: To: Rowan Tommins Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary="0000000000007544fc05ea505d19" Subject: Re: [PHP-DEV] Sanitize filters From: davidgebler@gmail.com (David Gebler) --0000000000007544fc05ea505d19 Content-Type: text/plain; charset="UTF-8" On Tue, Oct 4, 2022 at 11:34 AM Rowan Tommins wrote: > The "notorious" thing I know is that validating e-mail addresses is next > to impossible because of multiple overlapping standards, and a huge > number of esoteric variations that might or might not actually be > deliverable in practice. If you think the implementation can be > improved, that doesn't need a new is_valid_email() function, just a > tested and documented patch to the existing one; if it can't be > improved, then any new function will be just as useless > There are multiple RFC standards for email address format but AFAIK PHP's FILTER_SANITIZE_EMAIL doesn't conform to any of them. The idea behind my suggestion for something like is_valid_email (whatever it might be named) is as a step towards deprecating and removing the entire existing filter API, which I think many of us agree is a mess. As you said below "it's trying to be everything to everyone, and ends up with a bewildering set of options" - a rewrite or replacement which also tries to be everything to everyone won't solve that problem, but getting rid of it entirely will. That said, the nature of PHP as a web-first language means it's reasonable to include some individual, smaller, better APIs for certain validations or sanitizations on types of data which are very commonly encountered in HTTP requests. Examples include strings we expect or want to be valid integers, decimals, email addresses and URLs. I think these features should remain, but I'd happily see them even as a set of new, individual core functions if it meant binning off filter_var and filter_input in PHP 9. Regardless, look - I don't want to derail here - if most people are happy with just deprecating some of the crappier and more confusing sanitize filters and leave it at that, I say great, go for it, it's still an improvement. I'm just saying if someone's going to take the time to look at that problem space, why not go more than half the distance and reconsider the fundamental approach of something we all know is pretty sucky anyway? Just food for thought. --0000000000007544fc05ea505d19--