Hi all,
This RFC is to add validation functions and string validation filter.
https://wiki.php.net/rfc/add_validate_functions_to_filter
It also allows to define multiple filters for an input. i.e. You can
apply multiple filter rules for an input.
Comments are appreciated!
Thank you!
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
Patch for this RFC is update
https://github.com/php/php-src/pull/2048
- Added filter_check_definition() - Check definition array for
validate_array() and filter_array(). These functions ignores error
silently and this behavior could result in serious security issue. We
should provide this function at least. - Made to require filter definitions for validate_() functions.
RFC is updated accordingly.
https://wiki.php.net/rfc/add_validate_functions_to_filter
There is suggestion to use "CTRL".
I used CNTRL for control char, since POSIX iscntrl() exists.
We have ctype_cntrl(), IntlChar::iscntrl()
If shorter constant name is preferred, I don't mind at all.
FILTER_FLAG_STRING_ALLOW_CNTRL
↓
FILTER_FLAG_STRING_ALLOW_CTRL
Any comments?
Regard,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi Yasuo,
Hi all,
This RFC is to add validation functions and string validation filter.
https://wiki.php.net/rfc/add_validate_functions_to_filter
It also allows to define multiple filters for an input. i.e. You can
apply multiple filter rules for an input.Comments are appreciated!
Thanks for this proposal :)
Some comments:
Exceptions are not exceptional in this case but if there are invalid
options or arguments but everything else is expected to succeed or
fail. So I am not in favor to have exception here.
Naming must have filter_ prefix
We do have array filters, validate or filtering functions already I am
not sure why we need another function to do very similar things. Most
if not all ext/filter users (libraries, components, frameworks)
implements their own userfriendly interfaces (classes) and use the
existing filter APIs. The developers I talked to prefer to have simple
functions but fast, high quality and safe rather than complex APIs for
a specific flow, which is most likely won't match their needs. Most of
these higher level APIs are also using different approaches and OO
based, which simplifies a lot their usage.
Cheers,
Pierre
Hi Pierre,
Thanks for this proposal :)
Some comments:
Exceptions are not exceptional in this case but if there are invalid
options or arguments but everything else is expected to succeed or
fail. So I am not in favor to have exception here.
Sounds good to me. I'll modify them.
Naming must have filter_ prefix
This one is tough. I agree that it should have "filter_" prefix.
However, I cannot come up with better names that aren't too long.
Any suggestions? Anyone?
We do have array filters, validate or filtering functions already I am
not sure why we need another function to do very similar things. Most
if not all ext/filter users (libraries, components, frameworks)
implements their own userfriendly interfaces (classes) and use the
existing filter APIs. The developers I talked to prefer to have simple
functions but fast, high quality and safe rather than complex APIs for
a specific flow, which is most likely won't match their needs. Most of
these higher level APIs are also using different approaches and OO
based, which simplifies a lot their usage.
Those who are using full featured framework may ignore Filter module at all.
My current objective is to make PHP ready/useful/easy for micro
services, very simple web apps. As I wrote in the RFC, it's very hard
validate things with current Filter module. It should be simpler for
simple apps.
One good thing about PHP is "It does not require complex
framework/external libs to write simple app". Sadly, this has been
changed due to security concerns.
Most of recent my proposals are for "fast/secure/easy micro services"
mostly with plain PHP, and keep "It does not require complex
framework/external libs to write simple app" :)
I understand your point view. My view is just different one.
Thank you for the comment!
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
This RFC is to add validation functions and string validation filter.
https://wiki.php.net/rfc/add_validate_functions_to_filter
It also allows to define multiple filters for an input. i.e. You can
apply multiple filter rules for an input.Comments are appreciated!
I updated RFC so that proposed function names to have "filter_assert_" prefix.
Since input validation could mean various things, I added more descriptions
about input validation and secure coding.
https://wiki.php.net/rfc/add_validate_functions_to_filter
ToDo
- Rename function in PR
- Add flag for allowing TAB in string
- Use php_error_docref() for usage mistakes
- Finish filter_check_definition implementation()
- Add API that retrieves array key name that raises exception.
If these are finished, it's good to go for vote.
If I'm missing something or you have suggestions, please let me know soon.
Thank you!
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
https://wiki.php.net/rfc/add_validate_functions_to_filter
ToDo
- Rename function in PR
- Add flag for allowing TAB in string
- Use php_error_docref() for usage mistakes
- Finish filter_check_definition implementation()
- Add API that retrieves array key name that raises exception.
https://wiki.php.net/rfc/add_validate_functions_to_filter
ToDo is done and RFC is updated.
Additionally, I changed followings.
- Removed trim from int/float/bool validation filter when they are
used with filter_require_*() - Changed string filter's default. min_bytes=2, max_bytes=20. Larger
range open larger window to attackers. - Renamed FILTER_FLAG_STRING_MULTI_LINE to FILTER_FLAG_ALLOW_NEWLINE.
I wouldn't update PR unless I have to.
Please review code and comment!
https://github.com/php/php-src/pull/2048
(exif/stream tests are failing but it should be irrelevant to this patch)
If you find issues, please let me know.
Thank you!
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
This RFC is to add validation functions and string validation filter.
https://wiki.php.net/rfc/add_validate_functions_to_filter
It also allows to define multiple filters for an input. i.e. You can
apply multiple filter rules for an input.Comments are appreciated!
There is missing special validation filter for optional inputs. It
might be better to add this after code refactoring, because "optional"
filter requires special behavior. If I add this now, I have to rewrite
lots of existing code, probably.
I would like to start voting soon. Anyone who has comment, please let
me know ASAP.
Davey, I'm keeping target version option. Please let me know if you
feel uncomfortable with this new feature to PHP 7.1. It's pure new
feature that does not affect existing one at all. This would be great
addition for PHP 7.1. IMHO.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net