Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94819
Return-Path: <php-php-dev@m.gmane.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59681 invoked from network); 4 Aug 2016 01:07:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Aug 2016 01:07:19 -0000
Authentication-Results: pb1.pair.com smtp.mail=php-php-dev@m.gmane.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=stadli@gmx.de; sender-id=fail
Received-SPF: error (pb1.pair.com: domain m.gmane.org from 195.159.176.226 cause and error)
X-PHP-List-Original-Sender: php-php-dev@m.gmane.org
X-Host-Fingerprint: 195.159.176.226 unknown  
Received: from [195.159.176.226] ([195.159.176.226:56104] helo=blaine.gmane.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 72/90-53111-E3592A75 for <internals@lists.php.net>; Wed, 03 Aug 2016 21:07:11 -0400
Received: from list by blaine.gmane.org with local (Exim 4.84_2)
	(envelope-from <php-php-dev@m.gmane.org>)
	id 1bV77q-0006Eb-B1
	for internals@lists.php.net; Thu, 04 Aug 2016 03:07:06 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: internals@lists.php.net
Date: Thu, 4 Aug 2016 03:07:05 +0200
Lines: 13
Message-ID: <nnu4fj$cul$1@blaine.gmane.org>
References: <CAGa2bXa8Oj=xi6ZUKYFe5XXuhZvOL6JT=31QHoq8EG-9veGDBg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
In-Reply-To: <CAGa2bXa8Oj=xi6ZUKYFe5XXuhZvOL6JT=31QHoq8EG-9veGDBg@mail.gmail.com>
Subject: Re: [PHP-DEV] Adding validate_var_array()/validate_input_array() to
 which version?
From: stadli@gmx.de (Christian Stadler)

Am 01.08.2016 um 10:23 schrieb Yasuo Ohgaki:
> P.S. It's possible to return array that contains offending values. It
> is not included since users can store whole offending input array.
> Whole input is more useful for attack analysis.

Actually I wanted to suggest exactly that for ppl. who want to give
Feedback to their users, what values failed to validate to the users.
Probably with a fourth optional param, like `$return_invalid = false`?
Of course logging is a different topic and should always use the whole
offending input array.

Regards,
  Christian Stadler