Hi Dan, On Tue, Aug 2, 2016 at 7:29 AM, Dan Ackroyd <dan...@basereality.com> wrote: > On 1 August 2016 at 09:23, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> >> Question is which version should I target for? >
> Why does this need to be in PHP core? Input validation is the most important security measure. https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide Input validation best practice is "Validate values by whitelist and Reject invalid", not "Filter values and Accept". PHP should have function follows best practices. (I'm not saying nobody should not "Filter values and Accept". It's okay if your security policy allows it.) > Why can't this just be a userland library? PHP must have input validation feature that achieves previously described validation. Basic feature like input validation must be able to perform quickly, so it should be provided as core feature like basic escaping functions. Regards, P.S. I'll add string validation filters (e.g. min/max, encoding check,etc) and validation function callback (i.e. Must return bool) soon. -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
