Re: [PHP-DEV] Re: A validator module for PHP7

2018-03-27 Thread Yasuo Ohgaki 
On Tue, Mar 27, 2018 at 8:03 PM, Crocodile  wrote:

> It's almost always the case that you need to provide a meaningful feedback
> about what exactly went wrong, rather then to just say "Failed!" While
> simplicity is nice and you cannot overrate value of validation, this whole
> thing is pretty much useless to me personally without this ability. Also, I
> don't think it's a good idea to mix validation of scalar values, arrays and
> even multiple arrays, in a single function.
>

It seems you underrate validations.
It's a fundamental requirement for programs to work correctly.

Fundamental requirement: Programs can only work correctly with valid inputs.

There are countless reason why one should validate ALL inputs other than
this.
Almost nobody does this now, even if it is "fundamental" requirement.

How you would solve this?

--
Yasuo Ohgaki
yohg...@ohgaki.net

Re: [PHP-DEV] Re: A validator module for PHP7

2018-03-27 Thread Crocodile 
It's almost always the case that you need to provide a meaningful feedback
about what exactly went wrong, rather then to just say "Failed!" While
simplicity is nice and you cannot overrate value of validation, this whole
thing is pretty much useless to me personally without this ability. Also, I
don't think it's a good idea to mix validation of scalar values, arrays and
even multiple arrays, in a single function.

On Tue, Mar 27, 2018 at 11:43 AM Yasuo Ohgaki  wrote:

> On Mon, Sep 4, 2017 at 3:33 PM, Yasuo Ohgaki  wrote:
>
> > Hi all,
> >
> > I spent a little time for a new input validation module. It's not totally
> > new module, but is based on Filter module's validation filter improvement
> > RFC in many ways. [1]
> >
> > As all of us knew already, input validation is the most important
> practice
> > in secure coding. [2][3] Yet, we don't provide usable feature out of box.
> > Sadly, almost all apps do not have proper input validation at trust
> > boundary. Unless we improve filter's validation, we need usable basic
> > validator by default. IMO.
> >
> > Since I didn't get much feedbacks during the RFC discussion, I cannot
> tell
> > what part is disliked. I guess too much features in filter is one reason.
> > Another is messed up codes/features by providing both "filter" and
> > "validation".
> >
> > Validator for PHP7 (validate module) gets rid of unneeded features. It
> > only has features for basic PHP data type validations. Validation
> > rule(spec) array is flexible enough. Almost any types of inputs could be
> > handled by multiple and nested validation rules.
> >
> > Except some minor features like overflow checks, most planned features
> are
> > implemented.
> >
> > https://github.com/yohgaki/validate-php
> >
> > Although the code is based on filter module's code, it's almost full
> > rewrite except validation logic came from filter. Please consider this as
> > under development module.
> > Feedbacks are appreciated.
> >
> > Regards,
> >
> > [1] https://wiki.php.net/rfc/add_validate_functions_to_filter
> > [2] https://www.securecoding.cert.org/confluence/display/
> > seccode/Top+10+Secure+Coding+Practices
> > [3] https://www.owasp.org/index.php/OWASP_Secure_Coding_
> > Practices_-_Quick_Reference_Guide
> >
> > --
> > Yasuo Ohgaki
> > yohg...@ohgaki.net
> >
>
>
> I thought it would be nice to have PHP script version for
> Validate PHP. It a lot easier to modify API as needed. So
> I spend few hours last weekend.
>
> https://github.com/yohgaki/validate-php-scr
>
> Caution, I just wrote it and didn't debug it yet.
> However, it is good enough to play with, I suppose.
>
> API differs a little. This has more simplified parameter
> structure. Suggestions and comments are appreciated.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohg...@ohgaki.net
>
-- 
Best regards,
Victor Bolshov

[PHP-DEV] Re: A validator module for PHP7

2018-03-27 Thread Yasuo Ohgaki 
On Mon, Sep 4, 2017 at 3:33 PM, Yasuo Ohgaki  wrote:

> Hi all,
>
> I spent a little time for a new input validation module. It's not totally
> new module, but is based on Filter module's validation filter improvement
> RFC in many ways. [1]
>
> As all of us knew already, input validation is the most important practice
> in secure coding. [2][3] Yet, we don't provide usable feature out of box.
> Sadly, almost all apps do not have proper input validation at trust
> boundary. Unless we improve filter's validation, we need usable basic
> validator by default. IMO.
>
> Since I didn't get much feedbacks during the RFC discussion, I cannot tell
> what part is disliked. I guess too much features in filter is one reason.
> Another is messed up codes/features by providing both "filter" and
> "validation".
>
> Validator for PHP7 (validate module) gets rid of unneeded features. It
> only has features for basic PHP data type validations. Validation
> rule(spec) array is flexible enough. Almost any types of inputs could be
> handled by multiple and nested validation rules.
>
> Except some minor features like overflow checks, most planned features are
> implemented.
>
> https://github.com/yohgaki/validate-php
>
> Although the code is based on filter module's code, it's almost full
> rewrite except validation logic came from filter. Please consider this as
> under development module.
> Feedbacks are appreciated.
>
> Regards,
>
> [1] https://wiki.php.net/rfc/add_validate_functions_to_filter
> [2] https://www.securecoding.cert.org/confluence/display/
> seccode/Top+10+Secure+Coding+Practices
> [3] https://www.owasp.org/index.php/OWASP_Secure_Coding_
> Practices_-_Quick_Reference_Guide
>
> --
> Yasuo Ohgaki
> yohg...@ohgaki.net
>


I thought it would be nice to have PHP script version for
Validate PHP. It a lot easier to modify API as needed. So
I spend few hours last weekend.

https://github.com/yohgaki/validate-php-scr

Caution, I just wrote it and didn't debug it yet.
However, it is good enough to play with, I suppose.

API differs a little. This has more simplified parameter
structure. Suggestions and comments are appreciated.

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net