On 18/08/16 02:34, Stanislav Malyshev wrote: >> The input validation only reject invalid input. >> > >> > If you use plain <input> for "date", then you should consider any valid >> > UTF-8 without CNTRL chars up to 100 char or so, not "YYYYMMDD". >> > (Assuming UTF-8 is the encoding)
> But why? If I just check for YYYYMMDD I automatically get all invalid > UTF-8 etc. rejected, without even thinking about it. Yasuo - If there is a bug in the client side process what ever that is which causes something which YOU think is an invalid input then you would consider everything is broken? Just where do you draw the line between invalid input and incorrect input. If the YYYYMMDD has a couple of duff UTF8 characters appended you crash out rather than simply simply flagging the error? How do you distinguish between an attacker and a naive user who simply does not know you can't use cut and paste to copy something over because the OS will also copy all the hidden html along with it? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
