Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:14479
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98430 invoked by uid 1010); 1 Feb 2005 22:41:43 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 98415 invoked from network); 1 Feb 2005 22:41:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Feb 2005 22:41:43 -0000
X-Host-Fingerprint: 66.198.51.121 lerdorf.com Linux 2.4/2.6
Received: from ([66.198.51.121:59289] helo=colo.lerdorf.com)
	by pb1.pair.com (ecelerity HEAD (r4105:4106)) with SMTP
	id 21/33-00705-7A500024 for <internals@lists.php.net>; Tue, 01 Feb 2005 17:41:43 -0500
Received: from [207.126.233.18] (rasmus2.corp.yahoo.com [207.126.233.18])
	(authenticated bits=0)
	by colo.lerdorf.com (8.13.3/8.13.3/Debian-4) with ESMTP id j11MfeA2032167
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Tue, 1 Feb 2005 14:41:40 -0800
Message-ID: <420005A3.8050605@lerdorf.com>
Date: Tue, 01 Feb 2005 14:41:39 -0800
User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Andi Gutmans <andi@zend.com>
CC: internals@lists.php.net
References: <5.1.0.14.2.20050201111730.0299da70@localhost> <5.1.0.14.2.20050201111730.0299da70@localhost> <5.1.0.14.2.20050201142816.026d21c0@localhost>
In-Reply-To: <5.1.0.14.2.20050201142816.026d21c0@localhost>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP 5.1
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Andi Gutmans wrote:
> As time is very short, I suggest to discuss exactly what we want and 
> then to see if it's possible in a 5.1 time frame.
> Can you give a short overview of what you had in mind and how the 
> end-user would be using the functionality?

Well, I am not starting from scratch here.  I have code, it just needs a 
bit of polishing.

But the general idea is to provide an optional filter that people can 
enable in their ini file.  This will strip out any XSS, quotes, braces, 
etc.  The actual list will need to be massaged a bit, and there will be 
multiple filters so people can choose how strict to be by default.

At the same time a filter access function is provided.

eg.

$age  = pfilter(POST, 'age', FILTER_DIGITS);
$addr = pfilter(POST, 'addr', FILTER_ALNUM);
$body = pfilter(REQUEST, 'body', FILTER_TAGS);
$raw  = pfilter(COOKIE,'cook', FILTER_RAW);

We obviously can't turn on the input filter by default, but even without 
the default filter enabled, providing a set of input filters for people 
to use so they don't have to come up with complicated regular 
expressions to check user input will go a long way to make it easier for 
people to write safer applications.  Even people who actually take the 
step to do input validation tend to get the validation wrong as we have 
seen in a number of recent examples.

-Rasmus