Re: [PHP-DEV] A validator module for PHP7

This is only part of a thread. view whole thread
September 11, 2017 22:16 (Yasuo Ohgaki)

On Tue, Sep 12, 2017 at 6:54 AM, <> wrote:

> > > Am 11.09.2017 um 23:39 schrieb Yasuo Ohgaki: > >> On Tue, Sep 12, 2017 at 6:35 AM, but you still fail >> to explain why in the world you don#t try to >> enhance the existing filter functions instead invent a new beast >> leading finally to have the existin filter functions and your new >> stuff which share the same intention >> >> >> Why don't you read previous RFC and the vote result? >> >> > > and why do you not take the contra arguments against how do you think > things should be done into your considerations and believe bikeshed it with > a different name will achieve anything? >
If you understand the difference, there are huge different with respect to behaviors. Previous RFC was halfway finished "validation", it's far from "true validation". it's basially the same as your hash_hkdf() related stuff - you just ignore
> everybody and cntinue to ride a dead horse up to a level where even pure > readers of the internals list just have enough and only think "stop it guy"
hash_hkdf() discussion comes to conclusion finally if you haven't noticed it. It is clear now that Nikita and Andrey does not understand the algorithm ( including underlying HMAC and cypto hash characteristics) and RFC. See the relevant thread for conclusion. (The latest one) In short, current hash_hkdf() is not only violates RFC 5869, but also encourages extremely insecure usage, has unnecessarily incompatible API with respect to other hash functions. On Tue, Sep 12, 2017 at 6:56 AM, <> wrote:
> and i am suprise that you act *that* stubborn and obviously think when you > give the bike a new name someone will buy it instead really consider the > contras of previous proposals
"Validate" and "filter improvement" fundamentally different proposal in fact. i.e. Validate does true white list validation, while filter improvement is halfway. Almost all apps do not implement "proper application level input validation" yet, even if all of security guidelines/standards recommends/requires it. What do you mean by "stubborn"? Would you like me to try to remove "input validations" from security guidelines or standards? If you seriously think so, you're the one should try. Regards, -- Yasuo Ohgaki