Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95070
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11994 invoked from network); 12 Aug 2016 09:21:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Aug 2016 09:21:18 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.230 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.230 mail4-3.serversure.net Linux 2.6
Received: from [217.147.176.230] ([217.147.176.230:56479] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B1/98-56950-D059DA75 for <internals@lists.php.net>; Fri, 12 Aug 2016 05:21:17 -0400
Received: (qmail 25561 invoked by uid 89); 12 Aug 2016 09:21:14 -0000
Received: by simscan 1.3.1 ppid: 25554, pid: 25558, t: 0.0719s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 12 Aug 2016 09:21:13 -0000
To: internals@lists.php.net
References: <10fbcb03-5de8-4d9a-da1c-7e2bf77937cb@lsces.co.uk>
 <CAGa2bXZQtWpLGz4btOZ_+hYZrbkOEbBg9V2MvTHRMC6J1qU4OQ@mail.gmail.com>
 <d988b027-d9b8-cf08-9a3f-c5ae37eaa60c@lsces.co.uk>
 <9f76a201-7423-51d3-96df-d14a1f38b843@gmail.com>
Message-ID: <f357002a-f138-4e65-f3a9-2c709a32ac92@lsces.co.uk>
Date: Fri, 12 Aug 2016 10:21:12 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2
MIME-Version: 1.0
In-Reply-To: <9f76a201-7423-51d3-96df-d14a1f38b843@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Simple variable handling.
From: lester@lsces.co.uk (Lester Caine)

On 12/08/16 09:58, Rowan Collins wrote:
>> From a practical point of view of cause, the validation of inputs may
>> well be done in the browser so that the constraints get passed TO some
>> html5 check, or javascript function. So having uploaded the form one
>> COULD simply tag a variable as valid?
> 
> Just a reminder to you and anyone else reading: NEVER TRUST USER INPUT.
> You can add all the JS in the world to your forms, but a user can always
> ignore that and craft their own input with whatever data they like in it.

Many of my systems run on secure intra-nets and much of the 'safety
concerns' that have been brought up recently as 'essential' simply don't
apply. YES for web services that anybody has access to then 'NEVER TRUST
USER INPUT' is the rule, but for a simple local network only system then
one can trust that the browser is doing the right thing. It's one of the
reasons I've not been able to convert a number of sites since they don't
have a problem :(

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk