Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94901
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85754 invoked from network); 7 Aug 2016 15:20:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Aug 2016 15:20:26 -0000
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.161 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.161 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.161] ([81.169.146.161:26693] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 77/E2-33134-8B157A75 for <internals@lists.php.net>; Sun, 07 Aug 2016 11:20:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1470583221; l=5758;
	s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=ACq/tgmDAkbhU8QOyvFkMfo7t2kEh/UoA1uwhBwa13A=;
	b=EIP8qHImgg+Tk3rywHWf0lpvYu3QiEP/6zGjnGvDLwU8mpL6onoRX+Tlt86OwScRfuP
	4v+82yXFVaXBSlolAvOa6oE4kozXpkbv3QL9OmoPdtRFPybt8FZWOgVIrdg5n16SxCVxh
	UCAgi5zrW9mAIfgMQ2CY8a2d5SncNybGYVc=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3Y6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f45.google.com ([74.125.82.45])
	by smtp.strato.de (RZmta 38.13 AUTH)
	with ESMTPSA id f085c1s77FKK0f8
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Sun, 7 Aug 2016 17:20:20 +0200 (CEST)
Received: by mail-wm0-f45.google.com with SMTP id q128so84153886wma.1
        for <internals@lists.php.net>; Sun, 07 Aug 2016 08:20:20 -0700 (PDT)
X-Gm-Message-State: AEkooutTBVVZusdMIr2Go0NAvsga8g4oBqIf9WuymAppB76cowSNEjKQYTHi9i7ROwIvOVPDkH5Si9l0vrvd0A==
X-Received: by 10.28.228.132 with SMTP id b126mr12537390wmh.93.1470583220561;
 Sun, 07 Aug 2016 08:20:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.27.206 with HTTP; Sun, 7 Aug 2016 08:20:19 -0700 (PDT)
In-Reply-To: <CAEZPtU5UAc7d++kjPa3YFUN6w=p=73tyHrG8WGLfsJXXMWg2Gw@mail.gmail.com>
References: <CAGa2bXa8Oj=xi6ZUKYFe5XXuhZvOL6JT=31QHoq8EG-9veGDBg@mail.gmail.com>
 <nnu4fj$cul$1@blaine.gmane.org> <CAGa2bXZrtf1jy_W4Dzs72mxs9kmXx5586jbagjHRop3uzcuFYA@mail.gmail.com>
 <nnv8rf$24e$1@blaine.gmane.org> <CAGa2bXZh1BP48oM+AHzB9Yb4r5+B+W8WDOU-KEsVe+N4KHza4g@mail.gmail.com>
 <CAEZPtU5UAc7d++kjPa3YFUN6w=p=73tyHrG8WGLfsJXXMWg2Gw@mail.gmail.com>
Date: Sun, 7 Aug 2016 17:20:19 +0200
X-Gmail-Original-Message-ID: <CANUQDChyL9irik2W4LtGLDCbsYnPQMT8_5Ye-h9u2Tt+-k-vdQ@mail.gmail.com>
Message-ID: <CANUQDChyL9irik2W4LtGLDCbsYnPQMT8_5Ye-h9u2Tt+-k-vdQ@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, PHP internals <internals@lists.php.net>, 
	Christian Stadler <stadli@gmx.de>
Content-Type: multipart/alternative; boundary=001a114b09b279810005397cd649
Subject: Re: [PHP-DEV] Adding validate_var_array()/validate_input_array() to
 which version?
From: me@kelunik.com (Niklas Keller)

--001a114b09b279810005397cd649
Content-Type: text/plain; charset=UTF-8

2016-08-07 14:20 GMT+02:00 Pierre Joye <pierre.php@gmail.com>:

> On Aug 5, 2016 2:30 AM, "Yasuo Ohgaki" <yohgaki@ohgaki.net> wrote:
> >
> > Hi Christian,
> >
> > On Thu, Aug 4, 2016 at 8:27 PM, Christian Stadler <stadli@gmx.de> wrote:
> > > Am 04.08.2016 um 12:10 schrieb Yasuo Ohgaki:
> > >> Hi Christian and all,
> > >>
> > >> On Thu, Aug 4, 2016 at 10:07 AM, Christian Stadler <stadli@gmx.de>
> wrote:
> > >>> Am 01.08.2016 um 10:23 schrieb Yasuo Ohgaki:
> > >>>> P.S. It's possible to return array that contains offending values.
> It
> > >>>> is not included since users can store whole offending input array.
> > >>>> Whole input is more useful for attack analysis.
> > >>> Actually I wanted to suggest exactly that for ppl. who want to give
> > >>> Feedback to their users, what values failed to validate to the users.
> > >>> Probably with a fourth optional param, like `$return_invalid =
> false`?
> > >>> Of course logging is a different topic and should always use the
> whole
> > >>> offending input array.
> > >> I can set offending value to filter globals so that it can be
> > >> retrieved later in catch block. I cannot return or modify referenced
> > >> parameter because of raised exception.
> > >
> > > Well, since some people have objections about raising exceptions here,
> > > this should probably be either in a seperate vote or additional options
> > > in the main vote. Probably something, like:
> > > Yes, either | Yes, without the exception | Yes, with the exception | No
> > > Personally I would vote for 'Yes, either'. If I could, that is.
> >
> > One of my objective is following best practices.
> > Prefer exception over error is one of them. Although, I strongly suggest
> > to use exception for validation errors, I will have choices.
>
> I see them as conditions flow not errors per se but flow.
>
> Invalid options could raise exceptions but it brings inconcistencies with
> the other filter functions.
>
> I feel like this rfc needs more discussions and maybe we will add more
> things to filter as well.
>
> But anything proposed is already possible very easily in userland. I would
> not rush it into 7.1.
>

Isn't it a bit late to target 7.1 anyway?

Regards, Niklas

--001a114b09b279810005397cd649--