Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94783 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 75230 invoked from network); 1 Aug 2016 22:12:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Aug 2016 22:12:58 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:58396] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 08/D0-03293-869CF975 for ; Mon, 01 Aug 2016 18:12:58 -0400 Received: (qmail 11503 invoked by uid 89); 1 Aug 2016 22:12:53 -0000 Received: from unknown (HELO mail-qk0-f171.google.com) (yohgaki@ohgaki.net@209.85.220.171) by 0 with ESMTPA; 1 Aug 2016 22:12:53 -0000 Received: by mail-qk0-f171.google.com with SMTP id v123so26244246qkh.3 for ; Mon, 01 Aug 2016 15:12:52 -0700 (PDT) X-Gm-Message-State: AEkoouuiGjiRV1Y+JcSXJKoX9lS0MT2qZzTH7uMlfnf4MfIuLxOoYVYfG0F3H1GeORr4VbHd0XYcTduduld5aQ== X-Received: by 10.55.53.140 with SMTP id c134mr2618489qka.143.1470089566867; Mon, 01 Aug 2016 15:12:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.242 with HTTP; Mon, 1 Aug 2016 15:12:06 -0700 (PDT) In-Reply-To: References: Date: Tue, 2 Aug 2016 07:12:06 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: Adding validate_var_array()/validate_input_array() to which version? From: yohgaki@ohgaki.net (Yasuo Ohgaki) On Mon, Aug 1, 2016 at 5:23 PM, Yasuo Ohgaki wrote: > We have filter_var_array()/filter_input_array() currently. They are > designed as filter functions. i.e. They convert offending elements to > NULL/FALSE. Therefore, it's difficult to validate and see if inputs > are valid with specified specifications. > > https://github.com/php/php-src/pull/2048 > > This patch adds true validation functions > - validate_var_array() - Almost the same as filter_var_array() except > it returns scalar FALSE on validation failure(s), instead of filtered > array. > - validate_input_array() - Almost the same as filter_input_array() > except it returns scalar FALSE on validation failure(s), instead of > filtered array. > > > These functions are handy for input validation that stops script > execution upon invalid(attacker's) inputs. > > Question is which version should I target for? > It's simple enough patch to be merged to 7.1. IMO. > > Comments are appreciated! > > Regards, Raising Exception would be prefered. Any comment raising exception? ExceptionFilterValidate wouldn't cause much BC, IMO. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net