Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95360
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44644 invoked from network); 22 Aug 2016 03:42:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Aug 2016 03:42:03 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:45446] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B5/90-35246-9847AB75 for <internals@lists.php.net>; Sun, 21 Aug 2016 23:42:03 -0400
Received: (qmail 104848 invoked by uid 89); 22 Aug 2016 03:41:57 -0000
Received: from unknown (HELO mail-qt0-f182.google.com) (yohgaki@ohgaki.net@209.85.216.182)
  by 0 with ESMTPA; 22 Aug 2016 03:41:57 -0000
Received: by mail-qt0-f182.google.com with SMTP id u25so26749917qtb.1
        for <internals@lists.php.net>; Sun, 21 Aug 2016 20:41:57 -0700 (PDT)
X-Gm-Message-State: AEkoouvx1RsGnSoUjvsj2ucDoC9fZIf7XikM/tfBwgXOqU3TKjlOAMU3qSfOwc9QPHk3ixGY2Q2v6jEicV0gQw==
X-Received: by 10.200.33.183 with SMTP id 52mr21620984qty.128.1471837311600;
 Sun, 21 Aug 2016 20:41:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Sun, 21 Aug 2016 20:41:10 -0700 (PDT)
In-Reply-To: <6014cc43-295f-95ca-1c11-1d4795e15cc1@lsces.co.uk>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CA+kxMuRiOBQpmTeKqNyV8rX0GKCLrYixi--y5TcYUkdqpT746w@mail.gmail.com>
 <CAGa2bXa78fkZw8gtepmBDu+VDwHW_WiDDv65=zzgLTFqYxF+DA@mail.gmail.com>
 <CADyq6s+Y-OeKEyMus5s7xp9MqY7Fq7udqd5BRwtyGXbYCY1Uag@mail.gmail.com>
 <CADyq6sJuHCrLOoL22MWHv+cfrQQx9z=avswCpDVmnuyBCAchsA@mail.gmail.com>
 <CADyq6sKs=e_1Pc_CCLuThsU-qsvRseQcpx=sWKB_uhWsg=aRmQ@mail.gmail.com>
 <7795ca21-bd70-fe65-9519-af95fdfee33f@gmail.com> <CAGa2bXZMrO__dVd=qVoKjuPmcvVJ-q4xa8XKc0+aj1kH7Xd2Fw@mail.gmail.com>
 <fe3ccc4c-e81e-34fc-3257-19bd943e4abe@gmail.com> <CAGa2bXYy_tNiRfmy=jTsy-GALN4t8SDfxZ5vZocVCMw_7mMO6Q@mail.gmail.com>
 <40279244-a1ba-2680-8a14-89708bcd1852@gmail.com> <CAGa2bXYfaAXHay0txn46ui6T+nJ78ey=zCm9tKuWU2vCpEKTpg@mail.gmail.com>
 <ba10221f-717c-3c8c-9768-23d6a4cf0386@gmail.com> <08c8ca8b-fb14-fd1a-c6fa-2ee4db6e870a@lsces.co.uk>
 <CAGa2bXZ_r86Q6BAA+_5U55aR-j0iVRofoPFx8AQbe+sbPTE9qw@mail.gmail.com> <6014cc43-295f-95ca-1c11-1d4795e15cc1@lsces.co.uk>
Date: Mon, 22 Aug 2016 12:41:10 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZPbPoQqy48G478Tod+K=ZCeSgA4rfufpj1e7YEEeyJBg@mail.gmail.com>
Message-ID: <CAGa2bXZPbPoQqy48G478Tod+K=ZCeSgA4rfufpj1e7YEEeyJBg@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter module
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Lester,

On Sat, Aug 20, 2016 at 6:21 PM, Lester Caine <lester@lsces.co.uk> wrote:
> On 20/08/16 08:30, Yasuo Ohgaki wrote:
>> The input validation we are discussing is "Input/output rules between
>> client and server". It decides what's valid/invalid.
>
> I think I'm getting two things confused and am mixing your array
> filtering RFC up with this one. There is so much speculative stuff being
> discussed rather than trying to nail down key elements?
>
> I am looking at the whole process, so I have client side validation with
> is built from a set of rules added to the smarty templates. This still
> has a couple of gaps where manual creation of javascript is still
> needed, but that relates more to getting the validation working with
> botstrap3. This gives me a clean set of post data, and if one could
> ignore the morons then working with the $_POST array would be a doddle,
> but because we live in the real world, it's the BUILDING of the $_POST
> array when one can't trust the provider that we want to filter, and in
> an ideal world the rules would be used for each variable as they are
> added to the array, rather than post creating the array. One could
> almost envisage a check that the post data packed IS too big for the set
> of variables being returned and crash out, but simply throwing away
> suspect data as each variable is built and having the logic to simply
> create an exception on the first failure, only pass those fields that
> are valid ensures the $_POST array matches the clients data array.

I might misunderstood you.
It seems you would like to validate inputs as convention rather than
configuration. e.g. Use variable names that specify what it should be,
for instance i_age is integer where "i_" is for integer. Or you would
like to build validation rule on the fly like if there is "age" in
input array, automatically validate it as "integer", "minimum=0",
"maximum=130".

If above is what you would like to achieve, you can do it by building
validation rule array on the fly. Something like

$validation_rules = get_default_rule_for_this_request();
foreach ($_POST as $key=>$value) {
  if (!empty($valudation_rules[$key])) {
    throw new Exception('You cannot override default rule of '.$key);
  }
  $validation_rules[$key] = get_validation_rule($key);
}
assert(filter_check_definition($validation_rules));
$mypost = filter_require_var_array($_POST, $validation_rules);

Is this what you want?

--
Yasuo Ohgaki
yohgaki@ohgaki.net