Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:14541 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18322 invoked by uid 1010); 2 Feb 2005 22:26:08 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 18273 invoked from network); 2 Feb 2005 22:26:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2005 22:26:07 -0000 X-Host-Fingerprint: 83.97.50.139 jan.prima.de FreeBSD 4.6-4.9 Received: from ([83.97.50.139:2138] helo=jan.prima.de) by pb1.pair.com (ecelerity HEAD (r4105:4106)) with SMTP id 8B/14-25397-E7351024 for ; Wed, 02 Feb 2005 17:26:07 -0500 Received: from BAUMBART (pD95F8F5C.dip.t-dialin.net [::ffff:217.95.143.92]) (IDENT: HydraIRC, AUTH: LOGIN tobi) by jan.prima.de with esmtp; Wed, 02 Feb 2005 22:26:03 +0000 Date: Wed, 2 Feb 2005 23:28:13 +0100 Reply-To: Marcus Boerger X-Priority: 3 (Normal) Message-ID: <766793512.20050202232813@marcus-boerger.de> To: Rasmus Lerdorf CC: Marcus Boerger , Derick Rethans , Ilia Alshanetsky , internals@lists.php.net In-Reply-To: <42014F3B.5040607@lerdorf.com> References: <5.1.0.14.2.20050201142816.026d21c0@localhost> <5.1.0.14.2.20050201111730.0299da70@localhost> <5.1.0.14.2.20050201111730.0299da70@localhost> <5.1.0.14.2.20050201142816.026d21c0@localhost> <5.1.0.14.2.20050201151955.02730ec0@localhost> <4200169A.6050905@lerdorf.com> <42001C1D.3090105@cschneid.com> <42001D7B.1040707@trickie.org> <420024EC.4080601@lerdorf.com> <4200457F.5080305@prohost.org> <42005629.3000905@lerdorf.com> <4200D48A.9070305@prohost.org> <42010045.20807@lerdorf.com> <12510140304.20050202223853@marcus-boerger.de> <42014F3B.5040607@lerdorf.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP 5.1 From: helly@php.net (Marcus Boerger) Hello Rasmus, Wednesday, February 2, 2005, 11:07:55 PM, you wrote: > Marcus Boerger wrote: >>>Well, people turn on safe mode just because the name implies that things >>>are safe too - which is wrong. I agree with Ilia, we should not mangle >>>request data by default. It's fine to provide filter functions but the >>>normal post/get/cookie data should be normally available through GET and >>>POST - this is starting to look like another magic_quotes. A bad thing! >> >> >> Besides that turning on by default could turn out to become a major BC. > I have never suggested it should be on by default. I specifically > stated that it shouldn't be on by default. Ups i've read to fast then, sorry. > And of course it could break > certain applications if you turn it on. When you look at web apps out > there you see elaborate schemes to filter input data that are often > wrong. And even if they are right, they forgot to filter the state > drop-down select list, for example. I mean they only provided a bunch > of 2-letter state abbreviations for the user to choose between so they > don't think to filter that particular field. You'd be amazed how many > places you can spoof a form and send state=CA back to > it. We need a way to apply a default security policy for all input data > which can then be loosened for specific fields, like the text area field > of a forum application. Think of it in firewall terms. A decent > firewall starts with everything blocked and then you poke a few holes in > it where you need them. A firewall which has everything open by default > and you have to specifically block individual ports you think may be > evil yourself is never going to be anywhere near as effective. > TCP/IP Firewalls break all sorts of applications as well until either > the application is modified to poke a hole in the firewall itself via > upnp, or you reconfigure the firewall. This makes firewalls annoying, > but they are necessary. This is exactly the same thing. It is a data > firewall for PHP. You don't have to use it, but people want it and need it. Agreed! -- Best regards, Marcus mailto:helly@php.net