Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95285
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73588 invoked from network); 18 Aug 2016 06:23:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Aug 2016 06:23:03 -0000
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.230 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.230 mail4-3.serversure.net Linux 2.6
Received: from [217.147.176.230] ([217.147.176.230:47055] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BB/27-23968-64455B75 for <internals@lists.php.net>; Thu, 18 Aug 2016 02:23:02 -0400
Received: (qmail 4676 invoked by uid 89); 18 Aug 2016 06:22:59 -0000
Received: by simscan 1.3.1 ppid: 4670, pid: 4673, t: 0.0765s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 18 Aug 2016 06:22:59 -0000
To: internals@lists.php.net
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXadVagTwBzEym9PZROmXu3SKxg=huCAQNK3k1-jZeG_pg@mail.gmail.com>
 <CAGa2bXY-vmEgEFrE0OxQPSx=FKHeHdCayrDXxtTkHUVaJbV+-A@mail.gmail.com>
 <CA+kxMuRiOBQpmTeKqNyV8rX0GKCLrYixi--y5TcYUkdqpT746w@mail.gmail.com>
 <CAGa2bXa78fkZw8gtepmBDu+VDwHW_WiDDv65=zzgLTFqYxF+DA@mail.gmail.com>
 <CADyq6s+Y-OeKEyMus5s7xp9MqY7Fq7udqd5BRwtyGXbYCY1Uag@mail.gmail.com>
 <CADyq6sJuHCrLOoL22MWHv+cfrQQx9z=avswCpDVmnuyBCAchsA@mail.gmail.com>
 <CADyq6sKs=e_1Pc_CCLuThsU-qsvRseQcpx=sWKB_uhWsg=aRmQ@mail.gmail.com>
 <7795ca21-bd70-fe65-9519-af95fdfee33f@gmail.com>
 <CAGa2bXZMrO__dVd=qVoKjuPmcvVJ-q4xa8XKc0+aj1kH7Xd2Fw@mail.gmail.com>
 <fe3ccc4c-e81e-34fc-3257-19bd943e4abe@gmail.com>
 <CAGa2bXYy_tNiRfmy=jTsy-GALN4t8SDfxZ5vZocVCMw_7mMO6Q@mail.gmail.com>
 <40279244-a1ba-2680-8a14-89708bcd1852@gmail.com>
Message-ID: <95216999-67e4-4bec-b585-5004dfa983b1@lsces.co.uk>
Date: Thu, 18 Aug 2016 07:22:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2
MIME-Version: 1.0
In-Reply-To: <40279244-a1ba-2680-8a14-89708bcd1852@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter
 module
From: lester@lsces.co.uk (Lester Caine)

On 18/08/16 02:34, Stanislav Malyshev wrote:
>> The input validation only reject invalid input.
>> > 
>> > If you use plain <input> for "date", then you should consider any valid
>> > UTF-8 without CNTRL chars up to 100 char or so, not "YYYYMMDD".
>> > (Assuming UTF-8 is the encoding)

> But why? If I just check for YYYYMMDD I automatically get all invalid
> UTF-8 etc. rejected, without even thinking about it.

Yasuo - If there is a bug in the client side process what ever that is
which causes something which YOU think is an invalid input then you
would consider everything is broken? Just where do you draw the line
between invalid input and incorrect input. If the YYYYMMDD has a couple
of duff UTF8 characters appended you crash out rather than simply simply
flagging the error? How do you distinguish between an attacker and a
naive user who simply does not know you can't use cut and paste to copy
something over because the OS will also copy all the hidden html along
with it?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk