Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95810 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55962 invoked from network); 8 Sep 2016 21:48:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Sep 2016 21:48:18 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:59257] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 14/F5-61313-D9CD1D75 for ; Thu, 08 Sep 2016 17:48:16 -0400 Received: (qmail 66848 invoked by uid 89); 8 Sep 2016 21:48:10 -0000 Received: from unknown (HELO mail-qk0-f173.google.com) (yohgaki@ohgaki.net@209.85.220.173) by 0 with ESMTPA; 8 Sep 2016 21:48:10 -0000 Received: by mail-qk0-f173.google.com with SMTP id w204so59611896qka.0 for ; Thu, 08 Sep 2016 14:48:10 -0700 (PDT) X-Gm-Message-State: AE9vXwMGXoop5pIb9QPZOeZy2EYqDFL8cQIJuW0SG4iwmzb0mHsNhRboT5kIM/4RKAUccvf+zaKKleWgWgvtcg== X-Received: by 10.55.184.198 with SMTP id i189mr235769qkf.96.1473371284293; Thu, 08 Sep 2016 14:48:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.84.168 with HTTP; Thu, 8 Sep 2016 14:47:22 -0700 (PDT) In-Reply-To: References: <232F1604-2211-4351-B830-EDC958A25D6D@strojny.net> <2de35db0-9974-cc96-83dd-3d2dbd48f7f8@lsces.co.uk> <5b72e9da-068a-bc79-82c2-f36f723f42bb@gmail.com> Date: Fri, 9 Sep 2016 06:47:22 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Lester Caine Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Lester, On Thu, Sep 8, 2016 at 8:08 PM, Lester Caine wrote: > On 08/09/16 10:02, Rowan Collins wrote: >> No, I'm suggesting something like: >> >> if ( >> ! validate_int($var, $min, $max) >> || ! validate_bool($var, $allowed_bool_types) >> || ! validate_string($var, $min_len, $max_len) >> || ! validate_string_encoding($var, $encoding) >> || ! validate_string_chars($var, $allowed_chars) >> || ! validate_string_regex($var, $regex) >> || ! validate_string_degit($var, $min_len, $max_len) >> || ! $callback($var) // Note: no need to wrap this callback, it's >> just a boolean-returning function > > And I am looking for some way of packaging that into something I can > read and write dynamically for each $var ... This could be done by convention rather than configuration. You need some rule for variable names. If var name is ID, it must be numeric string always for example. Convention is developer defined rule, so this is left to developer how to do it. > $var->set_validation_rules($rules); And $rules is going to be an array > of items which can then be used for related parallel activities such as > populating the browser validation. > > So the above script is replaced by $var->is_valid(); or if you prefer it > throws an exception when you try and set the variable with an invalid > input ( or one that does not match a 'strict' rule ). I think convention rather than configuration works. However, not all checks should/can be done by model because model treats data related to the model leave other vars behind. Leftover could be cause of vulnerabilities. IIRC, Magento had vulnerability that allows malicious access due to internal redirects. This kind of problem can be mitigated by strict input validation at the time inputs are accepted. Anyway, your way would work with autoboxing. https://wiki.php.net/rfc/autoboxing and this proposal. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net