Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:14525 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63092 invoked by uid 1010); 2 Feb 2005 16:31:09 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 62965 invoked from network); 2 Feb 2005 16:31:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2005 16:31:06 -0000 X-Host-Fingerprint: 66.198.51.121 lerdorf.com Linux 2.4/2.6 Received: from ([66.198.51.121:40811] helo=colo.lerdorf.com) by pb1.pair.com (ecelerity HEAD (r4105:4106)) with SMTP id 4B/35-17292-94001024 for ; Wed, 02 Feb 2005 11:31:06 -0500 Received: from [192.168.2.106] (c-24-6-1-160.client.comcast.net [24.6.1.160]) (authenticated bits=0) by colo.lerdorf.com (8.13.3/8.13.3/Debian-4) with ESMTP id j12GV27w006413 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 2 Feb 2005 08:31:03 -0800 Message-ID: <42010045.20807@lerdorf.com> Date: Wed, 02 Feb 2005 08:31:01 -0800 User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ilia Alshanetsky CC: internals@lists.php.net References: <5.1.0.14.2.20050201142816.026d21c0@localhost> <5.1.0.14.2.20050201111730.0299da70@localhost> <5.1.0.14.2.20050201111730.0299da70@localhost> <5.1.0.14.2.20050201142816.026d21c0@localhost> <5.1.0.14.2.20050201151955.02730ec0@localhost> <4200169A.6050905@lerdorf.com> <42001C1D.3090105@cschneid.com> <42001D7B.1040707@trickie.org> <420024EC.4080601@lerdorf.com> <4200457F.5080305@prohost.org> <42005629.3000905@lerdorf.com> <4200D48A.9070305@prohost.org> In-Reply-To: <4200D48A.9070305@prohost.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP 5.1 From: rasmus@lerdorf.com (Rasmus Lerdorf) Ilia Alshanetsky wrote: >> Looking at my code here, it would actually be trivial to expose the >> raw data as superglobals, but what do we achieve then? We are simply >> renaming $_GET to $_GET_RAW or something like that? If you don't want >> any filtering to be done by default, simply don't turn it on. > > > In many cases it may not be possible to turn off automatic input filter, > because of limited access. I realize that. But the filter was likely turned on for a reason in such cases with the goal that all applications running on the server that need non-standard access to user data will have to be modified to explicitly access that data through an appropriate filter. I see no point in introducing this feature which is aimed at solving the XSS and other related security issues once and for all across all PHP applications while at the same time providing a completely insecure side door. Dealing with security issues is a pain in the ass. This pain doesn't go away and there is always the temptation to escape out through a side door and ignore it. This filtering extension is like your nagging mother constantly there telling you to eat your veggies and clean your room. You are coming from the position of already having a decently secure application meant to run everywhere and you have endured this pain already, so I can see that this is additional mostly unnecessary pain for you. And having to call a function to get the raw data is going to slow you down a little bit. On the other hand, during installation and configuration of your application you should be able to check if the filtering extension is available and instead of using your user-space data validation checks, replace some of them with the likely much faster checks provided by the extension, so it may be a net gain for you in the end with the added benefit that the application next to you not written by someone as adept as you isn't going to take down the server on you. -Rasmus