Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79050 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18609 invoked from network); 20 Nov 2014 20:02:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Nov 2014 20:02:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.45 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.45 mail-pa0-f45.google.com Received: from [209.85.220.45] ([209.85.220.45:45773] helo=mail-pa0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E0/C1-07686-9E84E645 for ; Thu, 20 Nov 2014 15:02:49 -0500 Received: by mail-pa0-f45.google.com with SMTP id lj1so3217385pab.32 for ; Thu, 20 Nov 2014 12:02:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=Wrsi7B1GvSKHN827BBpaGjjttuuYiqbnvRs+iVvfdr4=; b=oQT/ZOB15IW4WznVF1Mi53ttmh9UROj2uYc2U2x/vsUvoimE4gKwKJvUUfI4k8sC2p fp+9xmaPYYIVHMdDUwhRxpRLA71hMtpwV0ZEOjAJikdKjeQIshsRbV+mR0psJ34ChDYw 3dP6KEZ/ufC3NBrxK3vr9H5hFbc3sfL60bbI1VJMFCR/eggM87NWs6JcdZpX4O9VFl8/ Ykytk52nGWBcBdDla0LetQGHUsFJJbKEBajewyhNXGE/kDAPUueKQ2q9OLYG0ge8AiM5 1dvl7FbIpxWEmWmuQGmwUteQ0PGwX4CU5T2ajLEF/wxDP1oyQmp/VdkoyIKzc5JY1+qh 5tpQ== X-Received: by 10.66.166.109 with SMTP id zf13mr22082772pab.157.1416513766343; Thu, 20 Nov 2014 12:02:46 -0800 (PST) Received: from stas-air.corp.wikimedia.org (tan4.corp.wikimedia.org. [198.73.209.4]) by mx.google.com with ESMTPSA id y3sm2779542pbt.44.2014.11.20.12.02.45 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Nov 2014 12:02:45 -0800 (PST) Message-ID: <546E48E4.6010503@gmail.com> Date: Thu, 20 Nov 2014 12:02:44 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: Yasuo Ohgaki CC: PHP Internals References: <66B7B28C-2651-4A71-AC2A-55D4C7BB3DDC@ajf.me> <546D43B3.60708@gmail.com> <546D9A6F.8080106@gmail.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] Safe Casting Functions From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > I brought up ISO 27000 as the definition of IT security, since there are > many > definition for security. ISO 27000 does not define what "security > measure" is, That's exactly the issue. You bring a very generic definitions from standards and best practices, and then you bring your personal opinion on how to implement a specific case, and make it sound like the standard endorses your personal preference. But it is not so - both filtering and validation can be perfectly secure when properly used (or insecure when not). There's no requirement in the standards for any of them, at least you haven't demonstrated any. > As I described above, accounting which requires logging is one of security > measure for me. And that's fine for your use cases, but it doesn't mean all use cases must be like yours. So making it sound like sanitizing data is somehow insecure is not right - unless you can show some actual security problem, not mismatch with your use case. -- Stas Malyshev smalyshev@gmail.com