On 18/08/16 07:54, Stanislav Malyshev wrote: >> Broken char encoding shouldn't came from legitimate users. Text >> > contains CNTRL chars from <input type="text" name="var" /> shouldn't >> > come from legitimate users. 1MB data from <input type="text" >> > name="var" /> shouldn't come from legitimate users. Numeric database >> > record ID that is set by app shouldn't contain anything other than >> > digits. And so on. > I think you are mixing abnormal situations due to physical limitations > of software (like memory limits, etc.) with business logic. Numeric > format validation and size limits are clearly business logic. Encoding > may be not, depending on what the input is and used for.
Currently if the post data contained a large block of text how is that handled in the $_POST array? If we have specified a validator that say ['note'] has a 1k limit, then only the first 1024 characters will be usable so anything else can be scrapped. Yes I know that we have a chicken and egg in that $_POST['note'] has to be created before we can augment it with other information, and currently that happens by copying $_POST['note'] to a well defined $note further down the chain, but how difficult would it be for a set of annotations to be picked up as part of the process of creating $_POST['note'] in the first place? Even strict typing does not help here since all we have is 'string' where even something as simple as 'short_string' for a 256 byte limit string would help, but adding even a simple set of limits to the base variables addresses the majority of what is being discussed? Even if you leave the finer validation rules such as 'valid email' to later 'business' logic? But is it really that difficult to go from 'short_string' to 'email' as a validation rule? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
