Hi Lester, On Thu, Aug 18, 2016 at 4:27 PM, Lester Caine <les...@lsces.co.uk> wrote: > On 18/08/16 07:54, Stanislav Malyshev wrote: >>> Broken char encoding shouldn't came from legitimate users. Text >>> > contains CNTRL chars from <input type="text" name="var" /> shouldn't >>> > come from legitimate users. 1MB data from <input type="text" >>> > name="var" /> shouldn't come from legitimate users. Numeric database >>> > record ID that is set by app shouldn't contain anything other than >>> > digits. And so on. >> I think you are mixing abnormal situations due to physical limitations >> of software (like memory limits, etc.) with business logic. Numeric >> format validation and size limits are clearly business logic. Encoding >> may be not, depending on what the input is and used for. > > Currently if the post data contained a large block of text how is that > handled in the $_POST array? If we have specified a validator that say > ['note'] has a 1k limit, then only the first 1024 characters will be > usable so anything else can be scrapped. Yes I know that we have a > chicken and egg in that $_POST['note'] has to be created before we can > augment it with other information, and currently that happens by copying > $_POST['note'] to a well defined $note further down the chain, but how > difficult would it be for a set of annotations to be picked up as part > of the process of creating $_POST['note'] in the first place?
If $_POST['note'] is limited to 1KB by business logic and there is no restriction on client side, have only a memo that "You can enter up to 1KB text", then I'll treat up to 10KB of text or more as "valid input". > > Even strict typing does not help here since all we have is 'string' > where even something as simple as 'short_string' for a 256 byte limit > string would help, but adding even a simple set of limits to the base > variables addresses the majority of what is being discussed? Even if you > leave the finer validation rules such as 'valid email' to later > 'business' logic? But is it really that difficult to go from > 'short_string' to 'email' as a validation rule? If you validate "email" as email on client side, then you can have validation rule that rejects anything other than client side validation rule. If you don't have client side validation(rule), then you should treat them as normal strings in the input validation. The input validation we are discussing is "Input/output rules between client and server". It decides what's valid/invalid. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
