Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95164
Return-Path: <danack@basereality.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93873 invoked from network); 15 Aug 2016 01:25:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Aug 2016 01:25:20 -0000
Authentication-Results: pb1.pair.com smtp.mail=danack@basereality.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=danack@basereality.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain basereality.com from 209.85.217.178 cause and error)
X-PHP-List-Original-Sender: danack@basereality.com
X-Host-Fingerprint: 209.85.217.178 mail-ua0-f178.google.com  
Received: from [209.85.217.178] ([209.85.217.178:33934] helo=mail-ua0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EC/48-36656-FF911B75 for <internals@lists.php.net>; Sun, 14 Aug 2016 21:25:20 -0400
Received: by mail-ua0-f178.google.com with SMTP id k90so55288904uak.1
        for <internals@lists.php.net>; Sun, 14 Aug 2016 18:25:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=XxIUAJqJ+6CUsJQJRwMpbPGC6kQW1GzYuSwlasAMtqE=;
        b=JEq5IjACs8yv2n9Ui6Vy9brmqOyIaYz7tzE72Bjoy1tKmC+furFCyfkjgezDwBDCNr
         KO6iyKF3shgGkkuGSVIrm2E/vm66Rj77CY/oss+QCbhR0DXqAS6sTN9N1f6Qn9LUCYHN
         6Jhj05D5PrnX+0/ji4ey7jdWQT91XLRA9NPk9fDV+QQCHCLXSRzPujHwbOZjxmKsuTlz
         +Dx8VpBNH/9KAMX2bZa3v5NF79PukN4MpdTuFAom3pGg6t2g92KiYBWdSSCxFlxioEj3
         +y5VEJMyhOH63OpBBiYU1xl/7cZqjG5FBRdM5T6w2SzzsnjuSgAKn4YtqW6KgxZmqpgd
         oUIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=XxIUAJqJ+6CUsJQJRwMpbPGC6kQW1GzYuSwlasAMtqE=;
        b=SbQvq8yaEBgriEA5SX2DTNtU8T6GlF0ISxnapOLEj6/Yif/oRlW9PSW3k57vGHiYSM
         4+M+/Z1h4BWDulPwC9g8joHCNS2lMHZWWsjEgl6lDuzQYJhVFGypoyEfgPjKUTwKGW2g
         DULtpJGMfBFp/QM4F4Xw0boaN3iUa89MrkyWzDTtWwW58iaV7zZTDwFQOOKyQWO7hHuz
         YxAPnWTLRqMYHOeDrD/hwqnOPscrJLwSy9HSKTti2LPSbzNlVM2ajhaI6gsKprPmi2Pi
         l16IrmfUPezANMWvP9sgFeTso6sZ72cBV8L3+5HFAh9MeOXLYFNpdgkHVBk1PFYGRgNJ
         lltA==
X-Gm-Message-State: AEkoouuSsM/1kgwnSvF+1jUSM9Ot9kMlOPeNBjeqVlkhBk5sJc7K71SyFlUqyt94DlMg0oIXT9IviR0faU41Ug==
X-Received: by 10.159.55.175 with SMTP id q44mr5631724uaq.152.1471224316408;
 Sun, 14 Aug 2016 18:25:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.69.4 with HTTP; Sun, 14 Aug 2016 18:25:15 -0700 (PDT)
X-Originating-IP: [78.145.253.19]
In-Reply-To: <CAGa2bXY-vmEgEFrE0OxQPSx=FKHeHdCayrDXxtTkHUVaJbV+-A@mail.gmail.com>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXadVagTwBzEym9PZROmXu3SKxg=huCAQNK3k1-jZeG_pg@mail.gmail.com> <CAGa2bXY-vmEgEFrE0OxQPSx=FKHeHdCayrDXxtTkHUVaJbV+-A@mail.gmail.com>
Date: Mon, 15 Aug 2016 02:25:15 +0100
Message-ID: <CA+kxMuRiOBQpmTeKqNyV8rX0GKCLrYixi--y5TcYUkdqpT746w@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter module
From: danack@basereality.com (Dan Ackroyd)

Hi Yasuo,

On 15 August 2016 at 01:53, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> One more usual request.
> Please describe reason(s) why you object proposal.


I'm not entirely sure why you ask for reasons when people vote no. The
reasons are almost always the same as the reasons given before the
voting starts.

But for posterity:

i) Validation error messages need to specify what is wrong.....which
is bespoke to the application. Which is a reason why validation code
belongs in userland.

ii) Validation error message need to be in the correct language for an
application. It is not a good approach for people to be trying to
match strings emitted by internal code and trying to convert them to
the correct language.

iii) The argument that it needs to be fast could be applied to
anything and everything, and so is bogus. The RFC doesn't even show
that userland implementations are slow enought to be a concern.

iv) The RFC makes an assumption that programs should exit when validation f=
ails.

"Input data validation should accept only valid and possible inputs.
If not, reject it and terminate program."

and the code example:

> catch (FilterValidateException $e) {
>    var_dump($e->getMessage());
>    die('Invalid input detected!'); // Should terminate execution when inp=
ut validation fails
> }

This assumption is bogus.

Any program that accepts data from users should provide useful error
messages when the data is wrong with someting as simple as a string
being too long.

v) I don't like the current filter functions, and recommend people
avoid using them. Adding to them with an even harder to use API is the
wrong way to go.

cheers
Dan


For the record - these are what my input validation functions look
like. They are bespoke to the application, and provide useful error
messages to the end user when an exception handler catches that
specific exception to a 4xx HTTP response.

function validateOrderAmount($value) : int {
    $count =3D preg_match("/[^0-9]*/", $value);

     if ($count) {
        throw new InvalidOrderAmount("Der Wert muss nur Ziffern enthalten."=
);
     }

    $value =3D intval($value);

    if ($value < 1) {
        throw new InvalidOrderAmount("Der Wert muss eine oder mehrere sein =
.");
    }

    if ($value >=3D MAX_ORDER_AMOUNT) {
        throw new InvalidOrderAmount("Sie k=C3=B6nnen nur
".MAX_ORDER_AMOUNT." auf einmal bestellen ");
    }

    return $value;
}