Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:128754 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id C53AB1A00BC for ; Wed, 1 Oct 2025 12:19:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1759321104; bh=741bH15vbLJyA7IayOUGco7YV4Or4l7Q8krMtqCIwkE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=FRmDZugveOFm8F/6OUL78nu8rYvY0bf7O5GO0OhQxrrR+7/lUQInRzb8z3RrJuaRv 0eTTjexrZea6mYBamqbWxHlKW0lJFbjyRCuEg3uLomv2P1vmSL4mTK4+JEHJBkTSMs C8Cqf1dkFH4u/fGZGaO/dkIFRaNopnBxsvzg3VZLmjhOhWkSOzCCfU2TvHKF0sgef+ /3U9WQfGqdypifLI4/xLZUgHan8M7uVyezqFH1yWqRxsEVLOgR0c6jlnPlsKM/USYE xEB5PY+uf+KFOop1mwvzz7tGVsESGtskAn0wo3GiipHF1Iwqyucod/rIe2qliFwqEe FnxnhHoKoL7Rw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 9C3451801D4 for ; Wed, 1 Oct 2025 12:18:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,T_SPF_TEMPERROR autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 1 Oct 2025 12:18:20 +0000 (UTC) Received: by mail-ed1-f52.google.com with SMTP id 4fb4d7f45d1cf-62fca216e4aso2236847a12.0 for ; Wed, 01 Oct 2025 05:19:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759321178; x=1759925978; darn=lists.php.net; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=741bH15vbLJyA7IayOUGco7YV4Or4l7Q8krMtqCIwkE=; b=EgV78N0pwSowX77Zb2B6OdYNSsvGZCHKkongENpWc5x6/05XnBf6mQ3KBXZdAUeOw6 naBOxlXC1jaE3WPxZo7obl91xAD8bzii1PwMpFVoTf+IopnY4/p+GPBLpouBK1DfOsru QeiNs4V2vfjstP00b3R67Uo7BkV3gbAmRz8Nbn6O6ndsJuBhqjMMOj+Iru+I9R34NUz8 2OYlzT1RH4SroVF2zuBIq+9MHl8fjpgLPQpMaoEMEmjMc0BdR5dOlo9fvs0xgL2xDPLR gLYhQx62Akx66uxjIyuj5L5u26ISf3dfh2/wg7YvTbQzSg81DqDgz3BDt2Jf5EN2DrEl ypig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759321178; x=1759925978; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=741bH15vbLJyA7IayOUGco7YV4Or4l7Q8krMtqCIwkE=; b=opljvqy0fxIO72fg4XmPvNgDQ6KBfdDRDMqXBZenute9EaOXfb+lHi4tvb0hDrHHEH t2Cz1MM3y/aXlaweWYkRsYo1+1DhnE7alGD8JU7x/K4Vc2a9WEkbDU+2WOxpQAveKtlu i4NKIifY9+rkv43LRmRWsOlhAemnFAZWGhFYK9B8YjK1dQMLyXACBufx+ctBYD8NvmGF l0I8pgPktoLIzbpHVneiRE/gGZcDH9dOEgTORvii776ivrDWJKSILmjB7vFX+glW2UKS Bt+J+XY/vX8B2JDThwF/fg4d1gCriraEzPiEr8RA2u9czg54JRAQNJuTeqHbDN8r2WSI OIXQ== X-Gm-Message-State: AOJu0YwR8bRfvl9I4eJ8OS1oAXXcBgOYXd9pi0rrkAornkif3yyliwMA HZySvgnNaM0qOSPY4xNxOAPkFKAv26KjMvf4ORiOee2LP2LXKs6c9FXGYKk4XpeTGMDBQHOnYeN cV5WzHkpM3e9BTkcPJboy3O9xwjvCS35Mh1XP X-Gm-Gg: ASbGnct0OF4hC0F4U7R0OMC7gCLJuui9uEZa+Og1Vr1LEKAr90LWqBbYbBeKMTiJ3jk BD9tyiQsYO/jSXGssFPuKM3ilWdwj8FdDNUnDBGa7WhEUwaqbWm9Kv1I6Ee50spEQeT1aRsZpzs eQulOUv/TcmA2hKpYVBLfTyz8WkUPwKkRbGoD1dtwlIY29EkBULA9GAzaMp/a/As8X7GetyTrgy F940rMfrAQnPf8v1stBAt+9c7mPN+iVNauZdNZsmXc4+yQepewlfxz/e2z99e6vzw== X-Google-Smtp-Source: AGHT+IFWXdFOFbA4xD9+IzQmV/rQ2Ri/c8PUwpeXVrhpAQF2iAyDTeIPqWJ/DiwxXaVZSP0i5xBT+ijcguOcubhSxtc= X-Received: by 2002:a05:6402:649:b0:633:14bb:dcb1 with SMTP id 4fb4d7f45d1cf-6365af5ecedmr5958147a12.11.1759321177742; Wed, 01 Oct 2025 05:19:37 -0700 (PDT) Precedence: list list-help: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: In-Reply-To: Date: Wed, 1 Oct 2025 14:19:26 +0200 X-Gm-Features: AS18NWBQokjbM94GnfpSsHMalXLRF5gp-1qdGbxXZbpsbacP_e7-rX_cG3g-iw4 Message-ID: Subject: Re: [PHP-DEV] [DISCUSSION] Validating regex pattern To: Christian Schneider Cc: PHP internals list Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable From: alex.daubois+php@gmail.com (Alexandre Daubois) Hi, > My concern would be that dynamically creating regex patterns has quite a = lot of possible different foot guns and using something like preg_validate/= filter_var to prevent warnings seems to not really solve the problem but gi= ve a false sense of security. The purpose I see is not to give a sense of security, but to give quick feedback whether the pattern is valid or not. > You can end up with a mostly working version which will only trigger the = fail path later on depending on user input. I'm not sure to understand the connection here: validating the regex pattern itself and matching the pattern with something are two different things. > It boils down to: If you are not confident that you construct the pattern= in a safe way then what would you do if a validation function returns fals= e? You can notify the developer but that is already accomplished with the p= reg_* warning when an invalid pattern is given. Creating an error page for = the user on a warning is also already possible. That's why i'm on the fence= whether a validation function does more good or harm. I don't understand how it could be harmful. Early validation is useful when it comes to avoiding unnecessary operations if we can already be sure that it will fail later for obvious reasons. For me, it falls into the same category as email or URL validation in filter_var. That's also why I think it would be more appropriate as a flag for this function rather than a dedicated function. =E2=80=94 Alexandre Daubois