Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95250
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <CADyq6sKs=e_1Pc_CCLuThsU-qsvRseQcpx=sWKB_uhWsg=aRmQ@mail.gmail.com>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXadVagTwBzEym9PZROmXu3SKxg=huCAQNK3k1-jZeG_pg@mail.gmail.com>
 <CAGa2bXY-vmEgEFrE0OxQPSx=FKHeHdCayrDXxtTkHUVaJbV+-A@mail.gmail.com>
 <CA+kxMuRiOBQpmTeKqNyV8rX0GKCLrYixi--y5TcYUkdqpT746w@mail.gmail.com>
 <CAGa2bXa78fkZw8gtepmBDu+VDwHW_WiDDv65=zzgLTFqYxF+DA@mail.gmail.com>
 <CADyq6s+Y-OeKEyMus5s7xp9MqY7Fq7udqd5BRwtyGXbYCY1Uag@mail.gmail.com>
 <CADyq6sJuHCrLOoL22MWHv+cfrQQx9z=avswCpDVmnuyBCAchsA@mail.gmail.com> <CADyq6sKs=e_1Pc_CCLuThsU-qsvRseQcpx=sWKB_uhWsg=aRmQ@mail.gmail.com>
Date: Wed, 17 Aug 2016 11:59:27 +0900
Message-ID: <CAGa2bXZMu4Gu0hp5i_j6ZESv3Q7L2N04FnVCBU8v5AAg7jBUJg@mail.gmail.com>
To: Marco Pivetta <ocramius@gmail.com>
Cc: Dan Ackroyd <danack@basereality.com>, PHP Internals List <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter module
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Marco,

On Mon, Aug 15, 2016 at 12:46 PM, Marco Pivetta <ocramius@gmail.com> wrote:
> Besides what reported above by Dan, my reasoning for voting "no" is that
> this API can be implemented in userland, regardless if trivial or not
>
> There is no reason good enough for justifying yet another added endpoint
> that can even be implemented with simple function composition.

OK. Thank you. You prefer full userland implementation.

>
> In addition to that, the lack of a strongly typed data structure for the
> validation DSL makes this proposed functionality very error-prone and
> obnoxious to use and maintain for future additional use-case scenarios that
> may come up.

This is good argument.
Filter module uses definition array already. The RFC adds check function for
them, too. New check function does not take care semantics, it may be
improved by having class for defining validation rule.

If we have to add more complex, yet robust input validation definitions as
array, all we have to do is adding version number, totally different
array structure or object for it.

Do you want me to drop filter_check_definition() proposal?
It's easy to write PHP code that does the same,  and write it in the manual.

It's only there, because I'm expecting comments like you've made.
"There is no check function for rule definition array. It's dangerous"
or something like this.

> Performance impact in userland implementations can be mitigated via codegen
> there (similar to what Nikic's FastRoute lib): still less complicated than
> relying on the core API, maintaining it in C code, and having it locked onto
> the installed PHP version.

This is debatable how far PHP should implement mandatory features for
web applications.

Some may prefer PHP to be like Python or other normal languages that
does not have web application support in core at all.

Having a router in core is too much to me, too. However, I prefer PHP to
have basic features that is mandatory to write simple web forms. For
example,

<?php
require_once('my_exception_error_handler.php');
require_once('my_input_spec_def_for_this_file.php');

// Validate general requirement that cannot covered by filter_requrie*()
validate_inputs();
// These are came from this RFC. Validate inputs.
// What's to validate is design decision, but validating them all is the
// best way.
filter_require_var_array($_GET, $get_spec);
filter_require_var_array($_POST, $post_spec);
filter_require_var_array($_COOKIE, $cookie_spec);
filter_require_var_array($_SERVER, $server_spec);

session_start(['use_csrf_protection'=>1]);  // There is RFC for this.

function check_user_input_error($today) {
  if (strtotime($today) != date('Ymd')) {
    $err_msg[] = 'You have entered invalid date. '. $today;
     return $err_msg;
  }
}

if ($_POST['submit']) {
   $err_msg = check_user_input_error($_POST['Today']);
   if (!(empty($err_msg))) {
     // Save CSRF protected data into some DB
   } else {
    $_POST=array();
   }
}

// We do need shorter/simpler/consistent escape functions somehow.
?>
<html><head></head>
<body>
<?php if (!empty($_POST)): ?>
   // Display client info and date
   You're using <?=html($_SERVER['USER_AGENT']; ?>
  <?php if (!empty($err_msg)) {
    <?=html($err_msg) ?>
  <?php else: ?>
     Yes, today is <?=html($_POST['date']); ?>
   <?php endif; ?>
<?php else: ?>
 <form action="<?=html($_SERVER['REQUEST_URI'])?>" method="post" >
    Enter today's date: <input type="text" name="today" />
 </form>
<?php endif; ?>
</body>

Simple web forms should be able to be written by PHP core feature
only. IMHO.

It's impossible to teach beginners how to write code for input validations.
As a result, the most important security feature, input validation, is
omitted in beginner courses/examples/etc.

It's great for beginners to understand what's going on Web apps and
what developers should do. It's useful for small web service that
requires the best performance possible as well.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net