Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:19997
Return-Path: <antony@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83950 invoked by uid 1010); 15 Nov 2005 09:46:09 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 83935 invoked from network); 15 Nov 2005 09:46:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Nov 2005 09:46:09 -0000
X-Host-Fingerprint: 80.74.107.235 mail.zend.com Linux 2.5 (sometimes 2.4) (4)
Received: from ([80.74.107.235:3555] helo=mail.zend.com)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id A2/21-07637-F5EA9734 for <internals@lists.php.net>; Tue, 15 Nov 2005 04:46:09 -0500
Received: (qmail 30330 invoked from network); 15 Nov 2005 09:46:03 -0000
Received: from internal.zend.office (HELO ?127.0.0.1?) (10.1.1.1)
	by internal.zend.office with SMTP; 15 Nov 2005 09:46:03 -0000
Message-ID: <4379AE54.1080808@zend.com>
Date: Tue, 15 Nov 2005 12:45:56 +0300
User-Agent: Thunderbird 1.5 (X11/20051025)
MIME-Version: 1.0
To: Roman Ivanov <gamblergluck@yahoo.com>
CC: internals@lists.php.net
References: <84.9C.07637.EEB48734@pb1.pair.com> <6A.CC.07637.49C48734@pb1.pair.com> <CC.51.07637.BDD58734@pb1.pair.com> <437932CE.80000@zend.com> <4B.67.07637.41949734@pb1.pair.com>
In-Reply-To: <4B.67.07637.41949734@pb1.pair.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: results of the PHP6 wishlists
From: antony@zend.com (Antony Dovgal)

On 15.11.2005 05:38, Roman Ivanov wrote:
> Antony Dovgal wrote:
>> On 14.11.2005 12:55, Roman Ivanov wrote:
>> 
>>> wishlist> input filter extension (including some element of user 
>>> wishlist> control)
>>>
>>> Will it be used _instead_ of $_POST and $_GET? 
>> 
>> 
>> An extension instead of the arrays?
>> You must be missing something...
> 
> I do not think so. If the only way to get 'post' and 'get' variables 
> will be trough input_get(), then filter extension will effectively and 
> functionally replace those arrays. Is it not righ?

Obviously, no, this won't be the only way to get the data.

>>> Honestly, I'm not so sure it's a good idea to implement it like PECL 
>>> extension does. Filtering individual variables is, in my opinion, a 
>>> wrong way to treat user input.
>> 
>> 
>> You may filter data recursively, so filtering, for example, _POST or 
>> _GET would work fine.
> 
> Recursion does not solve the problem I'm trying to highlight.
> 
> //Way #1:
<skip>
> //Way #2:
<skip>

Didn't get the problem, sorry.
Could you try to explain it once more?

> "Part of the standard API, which is included with PHP and compiles by 
> default", if you will.

So, basically you're objecting against enabling it by default?
Why? I really do not see a reason to not include it by default, if it helps to write more secure code.
(remember that "enabled by default" means you can disable it in a moment).
 
>> Yeah, that's why you can use your own callback for filtering.
> Callback just plugs your function in some pre-defined structure.

Right.
Feel free to write your own PHP class/library for filtering, if you think that this predefined structure doesn't fit your needs.

-- 
Wbr, 
Antony Dovgal