Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94786
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80810 invoked from network); 1 Aug 2016 22:52:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Aug 2016 22:52:23 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:58509] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D5/F1-03293-3A2DF975 for <internals@lists.php.net>; Mon, 01 Aug 2016 18:52:23 -0400
Received: (qmail 13503 invoked by uid 89); 1 Aug 2016 22:52:16 -0000
Received: from unknown (HELO mail-qk0-f174.google.com) (yohgaki@ohgaki.net@209.85.220.174)
  by 0 with ESMTPA; 1 Aug 2016 22:52:16 -0000
Received: by mail-qk0-f174.google.com with SMTP id p186so33926229qkd.1
        for <internals@lists.php.net>; Mon, 01 Aug 2016 15:52:15 -0700 (PDT)
X-Gm-Message-State: AEkooutHYHybAiyQUe9YLg5dMuYj6d11JJgAvaxWqWAJY+3tgyih5mBNdKTCR8Q65cSo4yYxTx4wugGSE56anQ==
X-Received: by 10.55.136.133 with SMTP id k127mr73304808qkd.0.1470091929707;
 Mon, 01 Aug 2016 15:52:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Mon, 1 Aug 2016 15:51:29 -0700 (PDT)
In-Reply-To: <CA+kxMuRuUc38jctY-9KAPLjmBMp7=Yn3ax=Eyw9kDYKLg7DkNA@mail.gmail.com>
References: <CAGa2bXa8Oj=xi6ZUKYFe5XXuhZvOL6JT=31QHoq8EG-9veGDBg@mail.gmail.com>
 <CA+kxMuRuUc38jctY-9KAPLjmBMp7=Yn3ax=Eyw9kDYKLg7DkNA@mail.gmail.com>
Date: Tue, 2 Aug 2016 07:51:29 +0900
X-Gmail-Original-Message-ID: <CAGa2bXbTFsJEZOJwLibRUXfK1SD6UHDOsrao8RpkaY24NT1kkg@mail.gmail.com>
Message-ID: <CAGa2bXbTFsJEZOJwLibRUXfK1SD6UHDOsrao8RpkaY24NT1kkg@mail.gmail.com>
To: Dan Ackroyd <danack@basereality.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Adding validate_var_array()/validate_input_array() to
 which version?
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Dan,

On Tue, Aug 2, 2016 at 7:29 AM, Dan Ackroyd <danack@basereality.com> wrote:
> On 1 August 2016 at 09:23, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>>
>> Question is which version should I target for?
>

> Why does this need to be in PHP core?

Input validation is the most important security measure.
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

Input validation best practice is "Validate values by whitelist and
Reject invalid", not "Filter values and Accept". PHP should have
function follows best practices. (I'm not saying nobody should not
"Filter values and Accept". It's okay if your security policy allows
it.)

> Why can't this just be a userland library?

PHP must have input validation feature that achieves previously
described validation. Basic feature like input validation must be able
to perform quickly, so it should be provided as core feature like
basic escaping functions.

Regards,

P.S. I'll add string validation filters (e.g. min/max, encoding
check,etc) and validation function callback (i.e. Must return bool)
soon.

--
Yasuo Ohgaki
yohgaki@ohgaki.net