Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Yasuo, > On 9 Sep 2016, at 06:12, Yasuo Ohgaki wrote: > > On Thu, Sep 8, 2016 at 9:13 PM, Stephen Reay wrote: >>> On 8 Sep 2016, at 17:49, Yasuo Ohgaki wrote: >>> >>> Hi Stephen, >>> >>> On Thu, Sep 8, 2016 at 7:34 PM,

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Stephen, On Fri, Sep 9, 2016 at 8:12 AM, Yasuo Ohgaki wrote: > > Having > FILTER_VALIDATE_STRICT_FLOAT > and > FILTER_VALIDATE_FLOAT > would be problematic. I forgot to mention filter module uses 32 bit int for filter flags. It means we have only up to 31 filters. We

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On Thu, Sep 8, 2016 at 9:13 PM, Stephen Reay wrote: >> On 8 Sep 2016, at 17:49, Yasuo Ohgaki wrote: >> >> Hi Stephen, >> >> On Thu, Sep 8, 2016 at 7:34 PM, Stephen Reay >> wrote: >>> Adding a bunch of new functions is IMO

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 08/09/16 22:56, Christoph M. Becker wrote: > And it can even work without autoboxing; just wrap the scalars in > objects manually. And we come full circle. YES everybody can add their own user land wrappers to do this, but if code is built into the core to provide a standard to work with then

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 08.09.2016 at 23:47, Yasuo Ohgaki wrote: > On Thu, Sep 8, 2016 at 8:08 PM, Lester Caine wrote: > >> On 08/09/16 10:02, Rowan Collins wrote: >> >>> No, I'm suggesting something like: >>> >>> if ( >>> ! validate_int($var, $min, $max) >>> || ! validate_bool($var,

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Lester, On Thu, Sep 8, 2016 at 8:08 PM, Lester Caine wrote: > On 08/09/16 10:02, Rowan Collins wrote: >> No, I'm suggesting something like: >> >> if ( >> ! validate_int($var, $min, $max) >> || ! validate_bool($var, $allowed_bool_types) >> || !

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Yasuo, > On 8 Sep 2016, at 17:49, Yasuo Ohgaki wrote: > > Hi Stephen, > > On Thu, Sep 8, 2016 at 7:34 PM, Stephen Reay wrote: >> Adding a bunch of new functions is IMO the wrong approach to this type of >> thing. >> The existing

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 08/09/16 10:02, Rowan Collins wrote: > No, I'm suggesting something like: > > if ( > ! validate_int($var, $min, $max) > || ! validate_bool($var, $allowed_bool_types) > || ! validate_string($var, $min_len, $max_len) > || ! validate_string_encoding($var, $encoding) > || !

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Stephen, On Thu, Sep 8, 2016 at 7:34 PM, Stephen Reay wrote: > Adding a bunch of new functions is IMO the wrong approach to this type of > thing. > The existing filter_var/filter_input infrastructure works well, if you want > to define more rules I would definitely

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Rowan, On Thu, Sep 8, 2016 at 6:02 PM, Rowan Collins wrote: > On 08/09/2016 09:28, Yasuo Ohgaki wrote: >> >> This might be the largest difference. >> >> To make something secure than it is now, adding additional security >> layer is effective, not single

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

So, I’m trying to really understand what the goals of this RFC were/are. Adding a bunch of new functions is IMO the wrong approach to this type of thing. The existing filter_var/filter_input infrastructure works well, if you want to define more rules I would definitely encourage building

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 08/09/2016 09:28, Yasuo Ohgaki wrote: This might be the largest difference. To make something secure than it is now, adding additional security layer is effective, not single location/code. My instinct is that this extra location would be a maintenance nightmare, as it would need to keep

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Rowan, On Thu, Sep 8, 2016 at 2:58 AM, Rowan Collins wrote: > >> 3rd issue is location. Input data validation is better to be done as >> soon as possible. When application accepts input, programmers >> know what the possible inputs, and could cover all inputs. i.e. >>

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 06/09/2016 02:56, Yasuo Ohgaki wrote: Hi Rowan, On Fri, Sep 2, 2016 at 7:37 PM, Rowan Collins wrote: This certainly makes sense. I guess the challenge is that in order to know if data has been tampered, you need to have some knowledge of the expected format. That

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 07/09/16 10:19, Lester Caine wrote: > If the definition of a variable is > improved to include ALL of the validation we ideally need and I include > setStrict(int) in that then at run time we can both validate input and > decide on the error model that is applied. And I know I will get my head

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 06/09/16 23:57, Yasuo Ohgaki wrote: > It may differ from your software security model. Programmers are free > to choose which model to adopt. However, one shouldn't disturb > mandatory tool implementation for recommended security model by secure > coding specialists, IMHO. If you don't

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Lester, On Tue, Sep 6, 2016 at 4:59 PM, Lester Caine wrote: > On 06/09/16 03:19, Yasuo Ohgaki wrote: >> Hi Lester, >> >> On Fri, Sep 2, 2016 at 7:58 PM, Lester Caine wrote: >>> A filter of "is this string corrupted with an injection attempt" seems >>>

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 06/09/16 03:19, Yasuo Ohgaki wrote: > Hi Lester, > > On Fri, Sep 2, 2016 at 7:58 PM, Lester Caine wrote: >> A filter of "is this string corrupted with an injection attempt" seems >> rather more difficult to define than "email"? And applying the first in >> general on every

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Lester, On Fri, Sep 2, 2016 at 7:58 PM, Lester Caine wrote: > A filter of "is this string corrupted with an injection attempt" seems > rather more difficult to define than "email"? And applying the first in > general on every string when there are as set of simple filters

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Rowan, On Fri, Sep 2, 2016 at 7:37 PM, Rowan Collins wrote: > On 02/09/2016 11:11, Yasuo Ohgaki wrote: >> >> Taking care of tampered data by business logic will reduce both >> readability and maintainability. And more importantly, make code >> less secure because

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 02/09/16 11:37, Rowan Collins wrote: > If somebody's *not* using a library to build the form (e.g. they're > laying out the HTML by hand), are they likely to set up the complex > validation settings needed by the filter_* functions? The main problem is the lack of well built libraries that

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 02/09/16 11:11, Yasuo Ohgaki wrote: > Why shouldn't we have more secure validation? No argument about that ... only that ALL validation requires rules. If you have rules for preventing 'injection attacks' they only need to be applied to data that could allow that injection to be carried

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 02/09/2016 11:11, Yasuo Ohgaki wrote: Taking care of tampered data by business logic will reduce both readability and maintainability. And more importantly, make code less secure because programmers tend to focus on logic in model, not input data validations. This certainly makes sense. I

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Lester, On Fri, Sep 2, 2016 at 5:42 PM, Lester Caine wrote: > On 02/09/16 01:25, Yasuo Ohgaki wrote: >> I don't understand why new validator would cause more problems than >> solving. If users validate all inputs (e.g. request headers, cookies, >> all of post/get

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

On 02/09/16 01:25, Yasuo Ohgaki wrote: > I don't understand why new validator would cause more problems than > solving. If users validate all inputs (e.g. request headers, cookies, > all of post/get tampering), apps became much more secure. This task > does not belong to business(app) logic. Even

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Lars, On Thu, Sep 1, 2016 at 8:59 PM, Lars Strojny wrote: >> On 31 Aug 2016, at 21:45, Yasuo Ohgaki wrote: > [...] >> Thank you for voting! >> The RFC is declined 1 vs 13 >> A bit surprised this result. >> >> I requested the reason of objection, but many

Re: [PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi Yasuo, > On 31 Aug 2016, at 21:45, Yasuo Ohgaki wrote: [...] > Thank you for voting! > The RFC is declined 1 vs 13 > A bit surprised this result. > > I requested the reason of objection, but many of them does not disclose why. [...] > lstrojny (lstrojny) [...] sorry for

[PHP-DEV] [RFC][VOTE] Add validation functions to filter module

Hi all, This RFC is to add functions that are suitable for input validations for secure coding. IMHO, these additions are mandatory for PHP. https://wiki.php.net/rfc/add_validate_functions_to_filter Vote ends 2016/08/22 23:59:59 UTC I don't mind suspend vote and continue discussion if there is