Hi! > I brought up ISO 27000 as the definition of IT security, since there are > many > definition for security. ISO 27000 does not define what "security > measure" is,
That's exactly the issue. You bring a very generic definitions from standards and best practices, and then you bring your personal opinion on how to implement a specific case, and make it sound like the standard endorses your personal preference. But it is not so - both filtering and validation can be perfectly secure when properly used (or insecure when not). There's no requirement in the standards for any of them, at least you haven't demonstrated any. > As I described above, accounting which requires logging is one of security > measure for me. And that's fine for your use cases, but it doesn't mean all use cases must be like yours. So making it sound like sanitizing data is somehow insecure is not right - unless you can show some actual security problem, not mismatch with your use case. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
