> On 11 Sep 2017, at 17:41, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
>
> Hi Stephen,
>
> On Mon, Sep 11, 2017 at 6:37 PM, Stephen Reay <php-li...@koalephant.com
> <mailto:php-li...@koalephant.com>>
> wrote:
>
>> On 11 Sep 2017, at 15:42, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
>>
>> It seems you haven't try to use filter module seriously.
>> It simply does not have enough feature for input validations.
>> e.g. You cannot validate "strings".
>>
>>
>> Yasuo,
>>
>> I’ve asked previously what your proposal actually offers over the filter
>> functions, and got no response, so please elaborate on this?
>>
>
>
>> Can you show a concrete example that cannot be validated in user land
>> currently, using the filter functions as a base?
>>
>
> FILTER_VALIDATE_REGEXP is not good enough simply.
> PCRE is known that it is vulnerable to regex DoS still. (as well as
> Oniguruma)
> Users should avoid regex validation whenever it is possible also to avoid
> various
> risks.
>
> In addition, current filter module does not provide nested array validation
> array key validation, etc. It's not true validation neither. It does not
> provide
> simple length, min/max validations. It does non explicit conversions (i.e.
> trim), etc.
> Length, min/max validation is mandatory validation if you would like to
> follow
> ISO 27000 requirement.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohg...@ohgaki.net <mailto:yohg...@ohgaki.net>
So, you still didn’t actually provide an example. I *guess* you’re talking
about character class validation or something else equally “simple”, because I
can’t imagine what else would be a common enough case that you’d want to have
built-in rules for, and that you wouldn’t internally use RegExp to test anyway.
Ok so we can’t use filter_var() rules to validate that a string field is an
Alpha or AlphaNum, between 4 and 8 characters long (technically you could pass
mb_strlen() to the INT filter with {min,max}_range options set to get the
length validation, but I’ll grant you that *is* kind of a crappy workaround
right now)
Why not stop trying to re-invent every single feature already present in PHP
(yes, I’ve been paying attention to all your other proposals), and just *add*
the functionality that’s missing:
A `FILTER_VALIDATE_STRING` filter, with “Options” of `min` => ?int, `max` =>
?int and “Flags” of FILTER_FLAG_ALPHA, FILTER_FLAG_NUMERIC (possibly a built in
bit mask “FILTER_FLAG_ALPHANUMERIC” ?)
Lastly: it may not be the format you personally want, but the filter extension
*does* have the `filter_{input,var}_array` functions. Claiming something
doesn’t exist because it doesn’t work exactly how you would like it to, makes
you seem immature and petty, IMO.
