Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94842
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 48624 invoked from network); 4 Aug 2016 22:03:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Aug 2016 22:03:26 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.230 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.230 mail4-3.serversure.net Linux 2.6
Received: from [217.147.176.230] ([217.147.176.230:50648] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 99/92-33134-6ABB3A75 for <internals@lists.php.net>; Thu, 04 Aug 2016 18:03:24 -0400
Received: (qmail 1150 invoked by uid 89); 4 Aug 2016 22:03:15 -0000
Received: by simscan 1.3.1 ppid: 1143, pid: 1146, t: 0.1780s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 4 Aug 2016 22:03:15 -0000
To: internals@lists.php.net
References: <CAGa2bXa8Oj=xi6ZUKYFe5XXuhZvOL6JT=31QHoq8EG-9veGDBg@mail.gmail.com>
 <nnu4fj$cul$1@blaine.gmane.org>
 <CAGa2bXZrtf1jy_W4Dzs72mxs9kmXx5586jbagjHRop3uzcuFYA@mail.gmail.com>
 <nnv8rf$24e$1@blaine.gmane.org>
 <CAGa2bXZh1BP48oM+AHzB9Yb4r5+B+W8WDOU-KEsVe+N4KHza4g@mail.gmail.com>
 <27c5add4-2c4c-bab1-6ca7-9c191917dd0e@gmail.com>
 <CAGa2bXbDxcYnZFgJ2PfVdgWXAAzSnUWpKM1aHeVmYavJisS7Tg@mail.gmail.com>
 <65975a09-1d96-c03b-ecb2-ab37d91e621c@gmail.com>
 <CAGa2bXaqC7-GYoiBPoj4ODsH3VSheBn3M234Vy+sfbrJezJRbQ@mail.gmail.com>
Message-ID: <7150dcf2-b571-a5d6-ccb5-9b04a65def90@lsces.co.uk>
Date: Thu, 4 Aug 2016 23:03:14 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2
MIME-Version: 1.0
In-Reply-To: <CAGa2bXaqC7-GYoiBPoj4ODsH3VSheBn3M234Vy+sfbrJezJRbQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Adding validate_var_array()/validate_input_array() to
 which version?
From: lester@lsces.co.uk (Lester Caine)

On 04/08/16 22:47, Yasuo Ohgaki wrote:
>> The correct response to a form validation error is to show a message to the
>> > user with as much detail as possible, not to simply terminate the script and
>> > assume they are trying to attack your application.
> We are talking about different things.
> I'll document it clearly in RFC.

But both need to be done at the same time ...

Validating the input data requires that you have a set of rules for each
variable, and if all are correct then one can process the 'array', but
if an element fails validation then one needs to handle the error either
as suspicious, or simply out of range. I repeat that handling the
complexities of EACH variable of the validation is a package of work in
it's own right, and trying to handle some aspects via an array function
does not remove the more obvious need to decide what order to handle
validation errors on each element, or to return error messages for each
variable that fails validation. If the element is some attempt to create
an injection of js or html tags then it should fail validation, but
equally it may be a valid input as long as it is escaped and stored in a
correct manor. The complexity of what you plan for your array validation
elements start with all the same rules applied to a single variable.

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk