Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94829 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98304 invoked from network); 4 Aug 2016 10:57:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Aug 2016 10:57:17 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:38348] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D4/46-53111-A8F13A75 for ; Thu, 04 Aug 2016 06:57:16 -0400 Received: (qmail 64673 invoked by uid 89); 4 Aug 2016 10:57:11 -0000 Received: from unknown (HELO mail-qk0-f170.google.com) (yohgaki@ohgaki.net@209.85.220.170) by 0 with ESMTPA; 4 Aug 2016 10:57:11 -0000 Received: by mail-qk0-f170.google.com with SMTP id v123so94865878qkh.3 for ; Thu, 04 Aug 2016 03:57:10 -0700 (PDT) X-Gm-Message-State: AEkooutQx8jiVfdgwUzNoc7L+oTiyrT4QfkCY123+txQLOAUddbarNkvX1pGll3BXNjAXGSc4FDyNgq9KV7Wcg== X-Received: by 10.55.137.70 with SMTP id l67mr5236686qkd.132.1470308224590; Thu, 04 Aug 2016 03:57:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.242 with HTTP; Thu, 4 Aug 2016 03:56:24 -0700 (PDT) In-Reply-To: <8ec399c1-2f36-ce35-edb2-98f7898d3165@lsces.co.uk> References: <8ec399c1-2f36-ce35-edb2-98f7898d3165@lsces.co.uk> Date: Thu, 4 Aug 2016 19:56:24 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Lester Caine Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Adding validate_var_array()/validate_input_array() to which version? From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Lester, On Tue, Aug 2, 2016 at 2:56 PM, Lester Caine wrote: > > Once again lots of additional code is being added which only fixes HALF > of the input validation problem. The same as 'strict typing'. I'm not trying to solve all of input validation issues by this proposal. Large amount of responsibilities are left to programmers. These could be done by callback, regex, multiple filter definitions. If you feel there is missing critical feature, please let me know. I think basic features required by security best practices are provided by this RFC changes. > > All of these extras can simply be eliminated if you address the problem > of adding a set of rules to the basic 'var' that allow proper validation > of each individually ... and *I* include in those rules adding the > correct escaping for that particular variable. Which is EXACTLY what oe > does in the user land libraries that currently fill the gap. > > On one hand we are being pushed to add things like getter and setter and > all that overhead to create proper objects, while this option is back > with handling a raw set of variables as an array? Do you mean validation rule definition? If so, yes. It's an array. Array definition rules could be wrong/broken, e.g. typo, and consequence of a broken definition is severe. So I added definition validation function, validate_check_definition(). (Better name might be preferred "validate" and "check" sounds strange) validate_check_definition() could be called via assert() during development. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net