Hi Yasuo,
> On 9 Sep 2016, at 06:12, Yasuo Ohgaki wrote:
>
> On Thu, Sep 8, 2016 at 9:13 PM, Stephen Reay wrote:
>>> On 8 Sep 2016, at 17:49, Yasuo Ohgaki wrote:
>>>
>>> Hi Stephen,
>>>
>>> On Thu, Sep 8, 2016 at 7:34 PM,
Hi Stephen,
On Fri, Sep 9, 2016 at 8:12 AM, Yasuo Ohgaki wrote:
>
> Having
> FILTER_VALIDATE_STRICT_FLOAT
> and
> FILTER_VALIDATE_FLOAT
> would be problematic.
I forgot to mention filter module uses 32 bit int for filter flags. It
means we have only up to 31 filters. We
On Thu, Sep 8, 2016 at 9:13 PM, Stephen Reay wrote:
>> On 8 Sep 2016, at 17:49, Yasuo Ohgaki wrote:
>>
>> Hi Stephen,
>>
>> On Thu, Sep 8, 2016 at 7:34 PM, Stephen Reay
>> wrote:
>>> Adding a bunch of new functions is IMO
On 08/09/16 22:56, Christoph M. Becker wrote:
> And it can even work without autoboxing; just wrap the scalars in
> objects manually.
And we come full circle. YES everybody can add their own user land
wrappers to do this, but if code is built into the core to provide a
standard to work with then
On 08.09.2016 at 23:47, Yasuo Ohgaki wrote:
> On Thu, Sep 8, 2016 at 8:08 PM, Lester Caine wrote:
>
>> On 08/09/16 10:02, Rowan Collins wrote:
>>
>>> No, I'm suggesting something like:
>>>
>>> if (
>>> ! validate_int($var, $min, $max)
>>> || ! validate_bool($var,
Hi Lester,
On Thu, Sep 8, 2016 at 8:08 PM, Lester Caine wrote:
> On 08/09/16 10:02, Rowan Collins wrote:
>> No, I'm suggesting something like:
>>
>> if (
>> ! validate_int($var, $min, $max)
>> || ! validate_bool($var, $allowed_bool_types)
>> || !
Hi Yasuo,
> On 8 Sep 2016, at 17:49, Yasuo Ohgaki wrote:
>
> Hi Stephen,
>
> On Thu, Sep 8, 2016 at 7:34 PM, Stephen Reay wrote:
>> Adding a bunch of new functions is IMO the wrong approach to this type of
>> thing.
>> The existing
On 08/09/16 10:02, Rowan Collins wrote:
> No, I'm suggesting something like:
>
> if (
> ! validate_int($var, $min, $max)
> || ! validate_bool($var, $allowed_bool_types)
> || ! validate_string($var, $min_len, $max_len)
> || ! validate_string_encoding($var, $encoding)
> || !
Hi Stephen,
On Thu, Sep 8, 2016 at 7:34 PM, Stephen Reay wrote:
> Adding a bunch of new functions is IMO the wrong approach to this type of
> thing.
> The existing filter_var/filter_input infrastructure works well, if you want
> to define more rules I would definitely
Hi Rowan,
On Thu, Sep 8, 2016 at 6:02 PM, Rowan Collins wrote:
> On 08/09/2016 09:28, Yasuo Ohgaki wrote:
>>
>> This might be the largest difference.
>>
>> To make something secure than it is now, adding additional security
>> layer is effective, not single
So, I’m trying to really understand what the goals of this RFC were/are.
Adding a bunch of new functions is IMO the wrong approach to this type of thing.
The existing filter_var/filter_input infrastructure works well, if you want to
define more rules I would definitely encourage building
On 08/09/2016 09:28, Yasuo Ohgaki wrote:
This might be the largest difference.
To make something secure than it is now, adding additional security
layer is effective, not single location/code.
My instinct is that this extra location would be a maintenance
nightmare, as it would need to keep
Hi Rowan,
On Thu, Sep 8, 2016 at 2:58 AM, Rowan Collins wrote:
>
>> 3rd issue is location. Input data validation is better to be done as
>> soon as possible. When application accepts input, programmers
>> know what the possible inputs, and could cover all inputs. i.e.
>>
On 06/09/2016 02:56, Yasuo Ohgaki wrote:
Hi Rowan,
On Fri, Sep 2, 2016 at 7:37 PM, Rowan Collins wrote:
This certainly makes sense. I guess the challenge is that in order to know
if data has been tampered, you need to have some knowledge of the expected
format. That
On 07/09/16 10:19, Lester Caine wrote:
> If the definition of a variable is
> improved to include ALL of the validation we ideally need and I include
> setStrict(int) in that then at run time we can both validate input and
> decide on the error model that is applied.
And I know I will get my head
On 06/09/16 23:57, Yasuo Ohgaki wrote:
> It may differ from your software security model. Programmers are free
> to choose which model to adopt. However, one shouldn't disturb
> mandatory tool implementation for recommended security model by secure
> coding specialists, IMHO. If you don't
Hi Lester,
On Tue, Sep 6, 2016 at 4:59 PM, Lester Caine wrote:
> On 06/09/16 03:19, Yasuo Ohgaki wrote:
>> Hi Lester,
>>
>> On Fri, Sep 2, 2016 at 7:58 PM, Lester Caine wrote:
>>> A filter of "is this string corrupted with an injection attempt" seems
>>>
On 06/09/16 03:19, Yasuo Ohgaki wrote:
> Hi Lester,
>
> On Fri, Sep 2, 2016 at 7:58 PM, Lester Caine wrote:
>> A filter of "is this string corrupted with an injection attempt" seems
>> rather more difficult to define than "email"? And applying the first in
>> general on every
Hi Lester,
On Fri, Sep 2, 2016 at 7:58 PM, Lester Caine wrote:
> A filter of "is this string corrupted with an injection attempt" seems
> rather more difficult to define than "email"? And applying the first in
> general on every string when there are as set of simple filters
Hi Rowan,
On Fri, Sep 2, 2016 at 7:37 PM, Rowan Collins wrote:
> On 02/09/2016 11:11, Yasuo Ohgaki wrote:
>>
>> Taking care of tampered data by business logic will reduce both
>> readability and maintainability. And more importantly, make code
>> less secure because
On 02/09/16 11:37, Rowan Collins wrote:
> If somebody's *not* using a library to build the form (e.g. they're
> laying out the HTML by hand), are they likely to set up the complex
> validation settings needed by the filter_* functions?
The main problem is the lack of well built libraries that
On 02/09/16 11:11, Yasuo Ohgaki wrote:
> Why shouldn't we have more secure validation?
No argument about that ... only that ALL validation requires rules. If
you have rules for preventing 'injection attacks' they only need to be
applied to data that could allow that injection to be carried
On 02/09/2016 11:11, Yasuo Ohgaki wrote:
Taking care of tampered data by business logic will reduce both
readability and maintainability. And more importantly, make code
less secure because programmers tend to focus on logic
in model, not input data validations.
This certainly makes sense. I
Hi Lester,
On Fri, Sep 2, 2016 at 5:42 PM, Lester Caine wrote:
> On 02/09/16 01:25, Yasuo Ohgaki wrote:
>> I don't understand why new validator would cause more problems than
>> solving. If users validate all inputs (e.g. request headers, cookies,
>> all of post/get
On 02/09/16 01:25, Yasuo Ohgaki wrote:
> I don't understand why new validator would cause more problems than
> solving. If users validate all inputs (e.g. request headers, cookies,
> all of post/get tampering), apps became much more secure. This task
> does not belong to business(app) logic. Even
Hi Lars,
On Thu, Sep 1, 2016 at 8:59 PM, Lars Strojny wrote:
>> On 31 Aug 2016, at 21:45, Yasuo Ohgaki wrote:
> [...]
>> Thank you for voting!
>> The RFC is declined 1 vs 13
>> A bit surprised this result.
>>
>> I requested the reason of objection, but many
Hi Yasuo,
> On 31 Aug 2016, at 21:45, Yasuo Ohgaki wrote:
[...]
> Thank you for voting!
> The RFC is declined 1 vs 13
> A bit surprised this result.
>
> I requested the reason of objection, but many of them does not disclose why.
[...]
> lstrojny (lstrojny)
[...]
sorry for
Hi all,
This RFC is to add functions that are suitable for input validations
for secure coding. IMHO, these additions are mandatory for PHP.
https://wiki.php.net/rfc/add_validate_functions_to_filter
Vote ends 2016/08/22 23:59:59 UTC
I don't mind suspend vote and continue discussion if there is
28 matches
Mail list logo