Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95289
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 81691 invoked from network); 18 Aug 2016 07:27:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Aug 2016 07:27:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.230 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.230 mail4-3.serversure.net Linux 2.6
Received: from [217.147.176.230] ([217.147.176.230:52500] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E3/A8-23968-D5365B75 for <internals@lists.php.net>; Thu, 18 Aug 2016 03:27:26 -0400
Received: (qmail 25283 invoked by uid 89); 18 Aug 2016 07:27:22 -0000
Received: by simscan 1.3.1 ppid: 25276, pid: 25280, t: 0.0832s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 18 Aug 2016 07:27:22 -0000
To: internals@lists.php.net
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXadVagTwBzEym9PZROmXu3SKxg=huCAQNK3k1-jZeG_pg@mail.gmail.com>
 <CAGa2bXY-vmEgEFrE0OxQPSx=FKHeHdCayrDXxtTkHUVaJbV+-A@mail.gmail.com>
 <CA+kxMuRiOBQpmTeKqNyV8rX0GKCLrYixi--y5TcYUkdqpT746w@mail.gmail.com>
 <CAGa2bXa78fkZw8gtepmBDu+VDwHW_WiDDv65=zzgLTFqYxF+DA@mail.gmail.com>
 <CADyq6s+Y-OeKEyMus5s7xp9MqY7Fq7udqd5BRwtyGXbYCY1Uag@mail.gmail.com>
 <CADyq6sJuHCrLOoL22MWHv+cfrQQx9z=avswCpDVmnuyBCAchsA@mail.gmail.com>
 <CADyq6sKs=e_1Pc_CCLuThsU-qsvRseQcpx=sWKB_uhWsg=aRmQ@mail.gmail.com>
 <7795ca21-bd70-fe65-9519-af95fdfee33f@gmail.com>
 <CAGa2bXZMrO__dVd=qVoKjuPmcvVJ-q4xa8XKc0+aj1kH7Xd2Fw@mail.gmail.com>
 <fe3ccc4c-e81e-34fc-3257-19bd943e4abe@gmail.com>
 <CAGa2bXYy_tNiRfmy=jTsy-GALN4t8SDfxZ5vZocVCMw_7mMO6Q@mail.gmail.com>
 <40279244-a1ba-2680-8a14-89708bcd1852@gmail.com>
 <CAGa2bXYfaAXHay0txn46ui6T+nJ78ey=zCm9tKuWU2vCpEKTpg@mail.gmail.com>
 <ba10221f-717c-3c8c-9768-23d6a4cf0386@gmail.com>
Message-ID: <08c8ca8b-fb14-fd1a-c6fa-2ee4db6e870a@lsces.co.uk>
Date: Thu, 18 Aug 2016 08:27:21 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2
MIME-Version: 1.0
In-Reply-To: <ba10221f-717c-3c8c-9768-23d6a4cf0386@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter
 module
From: lester@lsces.co.uk (Lester Caine)

On 18/08/16 07:54, Stanislav Malyshev wrote:
>> Broken char encoding shouldn't came from legitimate users. Text
>> > contains CNTRL chars from <input type="text" name="var" /> shouldn't
>> > come from legitimate users. 1MB data from <input type="text"
>> > name="var" /> shouldn't come from legitimate users. Numeric database
>> > record ID that is set by app shouldn't contain anything other than
>> > digits. And so on.
> I think you are mixing abnormal situations due to physical limitations
> of software (like memory limits, etc.) with business logic. Numeric
> format validation and size limits are clearly business logic. Encoding
> may be not, depending on what the input is and used for.

Currently if the post data contained a large block of text how is that
handled in the $_POST array? If we have specified a validator that say
['note'] has a 1k limit, then only the first 1024 characters will be
usable so anything else can be scrapped. Yes I know that we have a
chicken and egg in that $_POST['note'] has to be created before we can
augment it with other information, and currently that happens by copying
$_POST['note'] to a well defined $note further down the chain, but how
difficult would it be for a set of annotations to be picked up as part
of the process of creating $_POST['note'] in the first place?

Even strict typing does not help here since all we have is 'string'
where even something as simple as 'short_string' for a 256 byte limit
string would help, but adding even a simple set of limits to the base
variables addresses the majority of what is being discussed? Even if you
leave the finer validation rules such as 'valid email' to later
'business' logic? But is it really that difficult to go from
'short_string' to 'email' as a validation rule?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk