Hi Stephen, On Mon, Sep 11, 2017 at 6:37 PM, Stephen Reay <php-li...@koalephant.com> wrote:
> On 11 Sep 2017, at 15:42, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > It seems you haven't try to use filter module seriously. > It simply does not have enough feature for input validations. > e.g. You cannot validate "strings". > > > Yasuo, > > I’ve asked previously what your proposal actually offers over the filter > functions, and got no response, so please elaborate on this? > > Can you show a concrete example that cannot be validated in user land > currently, using the filter functions as a base? > FILTER_VALIDATE_REGEXP is not good enough simply. PCRE is known that it is vulnerable to regex DoS still. (as well as Oniguruma) Users should avoid regex validation whenever it is possible also to avoid various risks. In addition, current filter module does not provide nested array validation array key validation, etc. It's not true validation neither. It does not provide simple length, min/max validations. It does non explicit conversions (i.e. trim), etc. Length, min/max validation is mandatory validation if you would like to follow ISO 27000 requirement. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
