Hi, > My concern would be that dynamically creating regex patterns has quite a lot > of possible different foot guns and using something like > preg_validate/filter_var to prevent warnings seems to not really solve the > problem but give a false sense of security.
The purpose I see is not to give a sense of security, but to give quick feedback whether the pattern is valid or not. > You can end up with a mostly working version which will only trigger the fail > path later on depending on user input. I'm not sure to understand the connection here: validating the regex pattern itself and matching the pattern with something are two different things. > It boils down to: If you are not confident that you construct the pattern in > a safe way then what would you do if a validation function returns false? You > can notify the developer but that is already accomplished with the preg_* > warning when an invalid pattern is given. Creating an error page for the user > on a warning is also already possible. That's why i'm on the fence whether a > validation function does more good or harm. I don't understand how it could be harmful. Early validation is useful when it comes to avoiding unnecessary operations if we can already be sure that it will fail later for obvious reasons. For me, it falls into the same category as email or URL validation in filter_var. That's also why I think it would be more appropriate as a flag for this function rather than a dedicated function. — Alexandre Daubois
