On 02/09/16 11:11, Yasuo Ohgaki wrote: > Why shouldn't we have more secure validation?
No argument about that ... only that ALL validation requires rules. If you have rules for preventing 'injection attacks' they only need to be applied to data that could allow that injection to be carried forward. If I expect a valid email address, and the string supplied is not a valid email address, then I kill anything that is provided instead. The legacy code which *I* have had validation problems with have basically just been poor design from simply mirroring the post data to a new URL if they want to use some third party service. Heavy handed filtering of injection paths also kill the data that the silly clone mirroring can't be bothered to filter properly. Convincing others that the correct approach IS to filter data properly is an up hill struggle when they can't be bothered to learn the interface to the service they are bouncing over to. "It's too difficult to maintain as the API's will keep changing". But if PHP has a set of base rules that can be applied in parallel to the same rules browser space, then one can simplify the processing elements that can then be mirrored cleanly, or halted if the material needed to create the mirror is no longer valid. > Taking care of tampered data by business logic will reduce both > readability and maintainability. And more importantly, make code > less secure because programmers tend to focus on logic > in model, not input data validations. That one has a packet of data validated in the browser which one is now processing in the server and it is subject to tampering is the extra validation you are talking about. How do you distinguish between what was valid, but has now been contaminated without also checking that the expected strings ARE still valid? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
