Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95681
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 18970 invoked from network); 6 Sep 2016 02:20:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Sep 2016 02:20:01 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:51063] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C9/FC-45301-CC72EC75 for <internals@lists.php.net>; Mon, 05 Sep 2016 22:19:58 -0400
Received: (qmail 125883 invoked by uid 89); 6 Sep 2016 02:19:53 -0000
Received: from unknown (HELO mail-qk0-f169.google.com) (yohgaki@ohgaki.net@209.85.220.169)
  by 0 with ESMTPA; 6 Sep 2016 02:19:53 -0000
Received: by mail-qk0-f169.google.com with SMTP id z190so204946940qkc.0
        for <internals@lists.php.net>; Mon, 05 Sep 2016 19:19:52 -0700 (PDT)
X-Gm-Message-State: AE9vXwNIm6Ft4RihkcWxvd6DrHju0EH5EYm3hkBu/syLZOnWtsOwreyZqe97yRTrIt4h/DRm2shDwaDF00UR8A==
X-Received: by 10.55.123.197 with SMTP id w188mr41621996qkc.60.1473128387180;
 Mon, 05 Sep 2016 19:19:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Mon, 5 Sep 2016 19:19:05 -0700 (PDT)
In-Reply-To: <819abe3a-5bfc-773a-025d-edfe92961a3a@lsces.co.uk>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXaA+uvh_wpRAHeiv+Xb-JOrTAkyoe3jzq3FVCEbfja_5w@mail.gmail.com>
 <232F1604-2211-4351-B830-EDC958A25D6D@strojny.net> <CAGa2bXb2y4afY28rwdcjgxUEkr41ZPMMdj4dUtMDVtJLBONAbA@mail.gmail.com>
 <2de35db0-9974-cc96-83dd-3d2dbd48f7f8@lsces.co.uk> <CAGa2bXYG1Or9+SGf3Rm4Yi5KUQ1mwnffTSSzuwARpy4bFfXB=w@mail.gmail.com>
 <5b72e9da-068a-bc79-82c2-f36f723f42bb@gmail.com> <819abe3a-5bfc-773a-025d-edfe92961a3a@lsces.co.uk>
Date: Tue, 6 Sep 2016 11:19:05 +0900
X-Gmail-Original-Message-ID: <CAGa2bXbovo-S+MA16tKTpV9zD=kOmqnKA+hBqKNVG-WSVix7fw@mail.gmail.com>
Message-ID: <CAGa2bXbovo-S+MA16tKTpV9zD=kOmqnKA+hBqKNVG-WSVix7fw@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Lester,

On Fri, Sep 2, 2016 at 7:58 PM, Lester Caine <lester@lsces.co.uk> wrote:
> A filter of "is this string corrupted with an injection attempt" seems
> rather more difficult to define than "email"? And applying the first in
> general on every string when there are as set of simple filters that can
> be used ... as an alternative to the more difficult to define ones?

Input validation code does not have to address all of injections. It's
output code responsibility to prevent injections in the first place.
i.e.  Top 10 Secure Coding Practices - #7
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices

Nonetheless, ID validation being poor is not rare even with  well
known code. parameters like ID is easy to make sure it's safe from any
injections.
e.g. https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q

ID is not the only one, accept language, encoding, referer, etc are
common source of injections also.

Input validation code is for mitigation against unknown/unaddressed
vulnerabilities in entire code not only PHP code, but also language,
libraries written by C/C++ and/or external systems such as DB.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net