On 05/09/17 14:08, li...@rhsoft.net wrote: > > > Am 05.09.2017 um 13:36 schrieb Lester Caine: >> On 05/09/17 12:18, Yasuo Ohgaki wrote: >>> I cannot guess people's thought. I appreciated feedback! >> >> With a decent database layer a lot of the validation you are proposing >> is already covered but PDO does not help in this area. Adding another >> layer that does not integrate with a storage layer is just adding to the >> current mess ... > > sorry, but you confuse "input validation" which this topic is about with > something different - input validation and reject bad requests belongs > some layers on top of any storage and should be done as soon as possible > > that should even happen long before you open a database connection at > all because when you know the request is bad soon enough you won't talk > to any database, filesystem or whatever storage layer at all > > the only question as applicaton developer is how you proceed in which cases > > * reject the whole request with a error-message > * reset form-fields where you don't expect an array as input > * reset from-fields with out-of-range input values > > here you go: > https://en.wikipedia.org/wiki/Data_validation
When the database layer provides a complete list of fields and validation rules as part of it's meta data, it is integral to any GOOD process. Copying all that data and manually creating filter rules is just unnecessary work. In addition much of the VALIDATION is best done at the browser end, and building that code is a lot easier when there is a standard validation base across all of the layers! Rejecting crap from hackers that have no format matching the fields on the browser page is something else and if the data set is corrupt then yes you can simply skip out before doing anything with it! But the problem these days is when hackers try injecting things like SQL into fields they think may be able to get through to the database. Provided that the validation layer can properly filter that injection requires knowledge that a string has reason to be rejected. Just as simply type casting a number to integer or float is only doing a small part of the job. Typing and validating a field by the metadata constraints has to be the right way forward? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
