Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95255 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67107 invoked from network); 17 Aug 2016 08:33:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Aug 2016 08:33:28 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.196 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.196 mail-pf0-f196.google.com Received: from [209.85.192.196] ([209.85.192.196:33119] helo=mail-pf0-f196.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BB/33-45465-85124B75 for ; Wed, 17 Aug 2016 04:33:28 -0400 Received: by mail-pf0-f196.google.com with SMTP id i6so7318021pfe.0 for ; Wed, 17 Aug 2016 01:33:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=WqtZVSaVko55DcpcaWoKX/Yh+1N77KioJm6YMacY+Gc=; b=ECXZ1dct5AysJrqyGRtbM5CWFKY1PTYsapw/7AGat6NdZptUh+/ipwLgwclTAIuR8m BfC34MvPoEHQCL6N7/INcOf4hltI6hQa4Z8Hf3VkeoByU14PW28PEcCsYx22Jb/7h6w2 MbiAJItL0SPyds9RCME1yO74WfcZwoVDUNX8BlqeClt0r+judGmc7G97/PVfNf0rzyAM b/IT14lVmfRBhu3H/TiyKt86BRwBQC6t2rur8qq/enLCkskVg7dt77UWcKwmL3Ujesbu CjCQNp4a/ox34uNYoJM6sZd5YiCHCqdDCEdZtdIFhFTI3uqdFGMmeuWMC+aXFD9nuh86 msNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=WqtZVSaVko55DcpcaWoKX/Yh+1N77KioJm6YMacY+Gc=; b=auubZTG7rnAZbDwsoF5Bli4VCV2wzVhBgZ2BGUkjzvVVt0rbvejeReVV2Ed3diyT/g 1Hf82dEX0mstzscUBxBa+jlHeBV1GLzjg6l2JdRCfdaqKgJ+1MrNbBp2lNL7Dj7dHur3 MyX/t98ufeT9Y724U11DZV0Wc3LAoXMQenG2B30zWjXHuO63Pt9bBExDTLR1tIqMwgQA SJt43WPf92oM2ViC2hQqC5qjq7hzBgUHSWLypSzKrXR8n3s66LA4qEgwgUkkwPpMe5v/ WY26xe/xmxxaJo0q0jXXEDVqFZoPuOZUIALWOIg4MKS4CC8mvEzFnYVxLNkv+9A5EYrK J85A== X-Gm-Message-State: AEkooutRd+S63E9HZ66bjHLDZdt4+lAG7YaHLLFusstpYFa1S+D6hShxxh9wuLjpd0yM3g== X-Received: by 10.98.33.72 with SMTP id h69mr71912623pfh.28.1471422804890; Wed, 17 Aug 2016 01:33:24 -0700 (PDT) Received: from Stas-Air.local (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id i7sm45173135paf.9.2016.08.17.01.33.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Aug 2016 01:33:24 -0700 (PDT) To: Yasuo Ohgaki References: <7795ca21-bd70-fe65-9519-af95fdfee33f@gmail.com> Cc: Marco Pivetta , Dan Ackroyd , PHP Internals List Message-ID: Date: Wed, 17 Aug 2016 01:33:21 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter module From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Let's say your app validate user written/chosen "Date" on client side by > JavaScript. Then browser must send whatever "Date" format you impose > to client. It may be "YYYYMMDD", for example. I'm not sure what Javascript has to do with it. Many apps don't have any client-side and have little to do with Javascript. Assuming that whole world is browser applications running Javascript (controlled by you) would be a big mistake. > Then programer should not accept "Date" format other than "YYYYMMDD" > because other format is invalid. Accepting format other than "YYYYMMDD" > does only bad and increase risks of program malfunctioning. i.e. All kinds > of injections like JavaScript, SQL, Null char, Newline, etc. What you mean by "accept" here? I think you are under impression (please correct me if I'm wrong) that there are only two ways for application to work - either treating all inputs equally, or bailing out immediately when incorrect input is detected. However, this is not the case, there are many other ways for application to handle the situation of invalid input - while knowing it is invalid - and exact manner of this handling is application-dependent. > "Input validation" should reject all of them and does not have to inform users > (attackers) to "there is invalid input". If you need to tell legitimate users I think we disagree here. I think not doing this makes my work as a developer much much harder. > "There is invalid input", then it should be treated by "Business logic", not by > "Input validation". Wait, input validation happens before business logic has a chance to run, so if input validation bails, how business logic can treat anything? > "User name" and "Password" shouldn't have CNTRL chars or invalid char > encoding. Even when fields are plain , there shouldn't be 500 chars > long inputs for them. So your proposal seems to be having two input checking procedures instead of one. I don't think people would find it very useful to have two separate input checking procedures. -- Stas Malyshev smalyshev@gmail.com