On 12 August 2016 at 13:01, Lester Caine <les...@lsces.co.uk> wrote: > On 12/08/16 11:01, Peter Lind wrote: > > On 12 August 2016 at 11:54, Rowan Collins <rowan.coll...@gmail.com> > wrote: > > > >> On 12/08/2016 10:21, Lester Caine wrote: > >> > >>> Many of my systems run on secure intra-nets and much of the 'safety > >>> concerns' that have been brought up recently as 'essential' simply > don't > >>> apply. > >> > >> There's always rogue employees / students / visitors with temporary > >> access... But yes, IF you trust your users 100% to be non-malicious, > >> non-curious, and uninfected, THEN you can trust your user input. :) > >> > > You forgot non-clumsy. Typos also happen and can have problematic > results. > > > > You cannot trust user input. End of discussion. > > That someone puts in Joens rather than Jones is a fact of life, and will > result in records that can't be matched. But a UK formatted date > validated in the browser makes checking it's in a valid range easier in > the PHP end. It's simply a matter of just what you can test and where, > and if needs be the system keeps track of who is making mistakes in data > entry and their supervisor deals with them. THAT is a report my CMS > systems have had from day one :)
And if all typos were switching 'e' and 'n', what a wonderful world it would be. That is not the case though - it's possible to accidentally enter " and > too. > But if they have stolen someone else’s > access card then all bets are off. But there is no 'delete' function on > the data so all changes are recorded. > > No, all bets are not off. That's the whole point of defense in depth. -- CV: careers.stackoverflow.com/peterlind LinkedIn: plind Twitter: kafe15
