Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:14483 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 39836 invoked by uid 1010); 1 Feb 2005 23:11:42 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 39806 invoked from network); 1 Feb 2005 23:11:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Feb 2005 23:11:42 -0000 X-Host-Fingerprint: 195.141.85.118 uf2.search.ch Linux 2.4/2.6 Received: from ([195.141.85.118:50720] helo=xaxa.search.ch) by pb1.pair.com (ecelerity HEAD (r4105:4106)) with SMTP id 6E/C5-00705-CAC00024 for ; Tue, 01 Feb 2005 18:11:41 -0500 Received: from localhost (localhost [127.0.0.1]) by xaxa.search.ch (Postfix) with ESMTP id E88D06D85D; Wed, 2 Feb 2005 00:11:37 +0100 (CET) Received: by xaxa.search.ch (Postfix, from userid 65534) id A9D766D8E7; Wed, 2 Feb 2005 00:11:36 +0100 (CET) Received: from [192.168.0.42] (ultrafilter2-i [192.168.85.3]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by xaxa.search.ch (Postfix) with ESMTP id BDB296D85D; Wed, 2 Feb 2005 00:11:34 +0100 (CET) Message-ID: <42000CA3.5020705@cschneid.com> Date: Wed, 02 Feb 2005 00:11:31 +0100 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041220 X-Accept-Language: en-us, en, de-ch, de, fr-ch MIME-Version: 1.0 To: Rasmus Lerdorf Cc: Andi Gutmans , internals@lists.php.net References: <5.1.0.14.2.20050201111730.0299da70@localhost> <5.1.0.14.2.20050201111730.0299da70@localhost> <5.1.0.14.2.20050201142816.026d21c0@localhost> <420005A3.8050605@lerdorf.com> In-Reply-To: <420005A3.8050605@lerdorf.com> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on xaxa.search.ch X-Spam-Level: X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.64 X-Virus-Scanned: by AMaViS 0.3.12pre8 Subject: Re: [PHP-DEV] PHP 5.1 From: cschneid@cschneid.com (Christian Schneider) Rasmus Lerdorf wrote: > But the general idea is to provide an optional filter that people can > enable in their ini file. This will strip out any XSS, quotes, braces, I assume this will include PHP functions to do the filtering as well? (Forgive me if we already have this now, I haven't looked at 5.0 enough yet :-)) > $age = pfilter(POST, 'age', FILTER_DIGITS); > $addr = pfilter(POST, 'addr', FILTER_ALNUM); > $body = pfilter(REQUEST, 'body', FILTER_TAGS); > $raw = pfilter(COOKIE,'cook', FILTER_RAW); Sounds like a good idea (even though the name pfilter reminds me too much of packet filter :-)). A catch-all could be handy too, e.g. pfilter(REQUEST, DEFAULT, FILTER_TAGS); which filters anything not handled before. Surely you can come up with a better interface but I hope you get the idea. Being able to define a default filter but still override it for certain variables is what I mean. (Also important would be that FILTER_TAGS is more robust than strip_tags which has some loopholes IIRC) I agree that making input validation (or filtering) easy is important to help people write safer code. I once wrote a validator in PHP which allowed me to specify allowable tags including attributes and regular expression for the attribute values but it required the input to be XML/XHTML which might be a bit too harsh for most people. A bit off-topic: I'm sure variable tainting has been discussed before, can some give the final opinion, was it found unsuitable/too much work/too inefficient or was it just post-poned (maybe indefinitely)? - Chris