Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95791
Return-Path: <php-lists@koalephant.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32778 invoked from network); 8 Sep 2016 12:14:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Sep 2016 12:14:07 -0000
Authentication-Results: pb1.pair.com header.from=php-lists@koalephant.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=php-lists@koalephant.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain koalephant.com designates 206.123.115.54 as permitted sender)
X-PHP-List-Original-Sender: php-lists@koalephant.com
X-Host-Fingerprint: 206.123.115.54 mail1.25mail.st  
Received: from [206.123.115.54] ([206.123.115.54:34663] helo=mail1.25mail.st)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 23/D8-36123-A0651D75 for <internals@lists.php.net>; Thu, 08 Sep 2016 08:14:04 -0400
Received: from [10.0.1.23] (unknown [183.89.106.123])
	by mail1.25mail.st (Postfix) with ESMTPSA id 4CE0C60D64;
	Thu,  8 Sep 2016 12:13:50 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
In-Reply-To: <CAGa2bXbyzzm=qYPTSr_yZ7HtNwcy6J5so4YmMpT+3qYah9qLCg@mail.gmail.com>
Date: Thu, 8 Sep 2016 19:13:41 +0700
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <F7523D96-1D0C-4217-A3FC-4E10C1F0D5DD@koalephant.com>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com> <CAGa2bXaA+uvh_wpRAHeiv+Xb-JOrTAkyoe3jzq3FVCEbfja_5w@mail.gmail.com> <232F1604-2211-4351-B830-EDC958A25D6D@strojny.net> <CAGa2bXb2y4afY28rwdcjgxUEkr41ZPMMdj4dUtMDVtJLBONAbA@mail.gmail.com> <2de35db0-9974-cc96-83dd-3d2dbd48f7f8@lsces.co.uk> <CAGa2bXYG1Or9+SGf3Rm4Yi5KUQ1mwnffTSSzuwARpy4bFfXB=w@mail.gmail.com> <5b72e9da-068a-bc79-82c2-f36f723f42bb@gmail.com> <CAGa2bXa+9raNXmg90rsfi+yt_9HMBtWXWORy3f_014Teg+CcBg@mail.gmail.com> <eaa51c8d-74b2-9ee8-da4a-045480b45993@gmail.com> <CAGa2bXYvJVkUAGVv7NypxYvkGQSTM00gDOVK+kb-OVYNkNVrVA@mail.gmail.com> <a13c876f-90b4-3020-2553-fd5a55f55997@gmail.com> <8E15A146-F5B6-41AA-8177-4DAA5ACB35C4@koalephant.com> <CAGa2bXbyzzm=qYPTSr_yZ7HtNwcy6J5so4YmMpT+3qYah9qLCg@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
X-Mailer: Apple Mail (2.3124)
Subject: Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module
From: php-lists@koalephant.com (Stephen Reay)

Hi Yasuo,=20

> On 8 Sep 2016, at 17:49, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>=20
> Hi Stephen,
>=20
> On Thu, Sep 8, 2016 at 7:34 PM, Stephen Reay =
<php-lists@koalephant.com> wrote:
>> Adding a bunch of new functions is IMO the wrong approach to this =
type of thing.
>> The existing filter_var/filter_input infrastructure works well, if =
you want to define more rules I would definitely encourage building =
on/improving that system not adding a bunch of extra functions.
>=20
> Do you really think filter module works well as optimal validator?

It=E2=80=99s not perfect, but nothing is. As I said, I believe the =
issues can largely be resolved by building on the existing =
functionality.

> It cannot enforce even whitelisting well=E2=80=A6

VALIDATE_INT already accepts $max and $min options. Those options could =
be applied to VALIDATE_FLOAT, and $charset, $accepted_chars, $max_len, =
$min_len could be implemented on a new VALIDATE_STRING filter.

I understand the use-case for multiple validation per input, and for =
validating multiple inputs, but frankly the way this implements that is =
both confusing to use, and has a less than ideal error-mode.

The =E2=80=9Cfilter spec=E2=80=9D input is an array of arrays of arrays, =
most of which will also contain an array for =E2=80=98options=E2=80=99. =
To me that=E2=80=99s getting dangerously close to JavaScript=E2=80=99s =
callback hell for impossible to read code.

The error mode is also not ideal in a real world use case in my opinion. =
If I am validating a dozen input fields, I do *not* want to know just =
the first one that failed. Can you imagine using a web form that made =
you submit 12 times to tell you each time you got a field wrong, rather =
than trying to validate them ALL and telling you ALL the errors at once?

Personally I think a better approach is:
1. improve/adding to the filters available, and if desired, add extra =
flags/options e.g, to throw an exception on failure (which, btw was =
requested via bugs.php.net 6 years ago), to set min/max values for =
FILTER_VALIDATE_FLOAT, etc.

2a. Leave the multiple rules per input to userland (e.g. dev uses =
foreach, array_walk, etc on a rules array or what have you)
2b. *maybe* add an alternative to filter_(input/var)_array where it=E2=80=99=
s 1 input and multiple rules, e.g. filter_(input|var)_multiple=20

If you wanted to follow 2b, I=E2=80=99d suggest perhaps tackling it as a =
separate RFC - improving *what* can be validated isn=E2=80=99t =
necessarily tied to *how* you define what you want validated.=20


Cheers

Stephen



>=20
> What filter module is missing as validator currently are:
>=20
> - Whitelisting concept (Implemented)
> - Multiple rules for a variable (Implemented)
> - String rules (Implemented)
> - Optional rule (To be implemented. Refactoring is needed)
>=20
> These are the missing features and cannot be fixed without additional
> functions. (W/o modifying current function behaviors)
>=20
> Regards,
>=20
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>=20
> --=20
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20