Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118797
Return-Path: <derick@php.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 5143 invoked from network); 11 Oct 2022 17:22:32 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 11 Oct 2022 17:22:32 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 688A318053F
	for <internals@lists.php.net>; Tue, 11 Oct 2022 10:22:31 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
	SPF_NEUTRAL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS30827 82.113.144.0/20
X-Spam-Virus: No
X-Envelope-From: <derick@php.net>
Received: from xdebug.org (xdebug.org [82.113.146.227])
	by php-smtp4.php.net (Postfix) with ESMTP
	for <internals@lists.php.net>; Tue, 11 Oct 2022 10:22:30 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1])
	by xdebug.org (Postfix) with ESMTPS id C55DE10C035;
	Tue, 11 Oct 2022 18:22:29 +0100 (BST)
Date: Tue, 11 Oct 2022 18:22:29 +0100 (BST)
X-X-Sender: derick@singlemalt.home.derickrethans.nl
To: Kamil Tekiela <tekiela246@gmail.com>
cc: PHP internals <internals@lists.php.net>
In-Reply-To: <CAGBsUrdri=hXQHy5JnVhpiz51FbnqVBHjrBg9-tj8m=vzfZtzA@mail.gmail.com>
Message-ID: <alpine.DEB.2.23.453.2210111808070.50175@singlemalt.home.derickrethans.nl>
References: <CAGBsUrdri=hXQHy5JnVhpiz51FbnqVBHjrBg9-tj8m=vzfZtzA@mail.gmail.com>
User-Agent: Alpine 2.23 (DEB 453 2020-06-18)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Subject: Re: [PHP-DEV] Sanitize filters
From: derick@php.net (Derick Rethans)

Hi all,

On Sat, 1 Oct 2022, Kamil Tekiela wrote:

> For quite some time now, PHP's sanitize filters have "Rustled My 
> Jimmies". These filters bother me because I can't really justify their 
> existence. I can understand that a few of them are sensible and may 
> come in handy, but I would like to talk about some of these in 
> particular.

I want to provide some context to why we have ext/filter, and why the 
filters that we currently have exist. At the time when we introduced 
ext/filter (which I mostly wrote), we were beholden to the scourge of 
"magic quotes".

In order for PHP to allow for a safer acceptance of input variables into 
a script, we added the ext/filter API to do so. The filters and 
sanitisers that we added were at that moment reasonable to add, and also 
likely to be used. We did punt on a view, and I am sure we made some 
'interesting' decisions.

For example the e-mail validator was not designed to allow for what the 
full spec allowed, but instead what we thought would be in-put by 
reasonable people.

The sanitising filters were added to get a rough, but reasonable filter 
to make data safe for specific contexts. 

Some of them were added so that people could easily upgrade, but for 
example setting the default filter to "magic_quotes" (or "add_slashes"). 
They're probably less useful *now*, but that doesn't distract that they 
might still be in use. 

I do believe we need to be better in promoting ext/filter's *good use*, 
of which there are plenty of cases. And evulating on how to *improve* 
(and not *remove) filters and sanitisers would be useful too.

Do you have specific suggestions towards that?

cheers,
Derick