Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:47835 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83031 invoked from network); 8 Apr 2010 10:49:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Apr 2010 10:49:02 -0000 Authentication-Results: pb1.pair.com header.from=daniel.zulla@googlemail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=daniel.zulla@googlemail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain googlemail.com designates 209.85.219.214 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: daniel.zulla@googlemail.com X-Host-Fingerprint: 209.85.219.214 mail-ew0-f214.google.com Received: from [209.85.219.214] ([209.85.219.214:45142] helo=mail-ew0-f214.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 40/24-50768-D94BDBB4 for ; Thu, 08 Apr 2010 06:49:02 -0400 Received: by ewy6 with SMTP id 6so625229ewy.32 for ; Thu, 08 Apr 2010 03:48:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:date:received:message-id :subject:from:to:content-type; bh=p2jKhTK80s0YC7VA3NMQx7kZ5qedr35Gc4hE4aL6GP0=; b=jg0JBm3rTBBoh3DQEbpNfYVzD0UQTGtzIq3YbgQYWPZyt61ek5900dT8DBZ22B1MDs MA0/E6KlYMZxT0sfZSQNJesvnyOyTODbjtya6eCsgEPma9TUqfSVmxtqLzJvOC5u/269 TYh3wKLotI9vWgty5viMk7kHnw1eDqfH3or+c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=fLJJAdLPW4VEIgoOHS1xynHc8vmLVMlQKQzOw9nOhoyMZJXUjiqYC5NCHLdyMLpzhm bSrilStdk4yvCCkjjcwOdY41Azal0wzAISzJUZBHFCTcU1AkY9saUHIFGHkIpaCShcqI sI7b+j52PhuXiGJnzUBNWe3KYRsvTKpUlUHyg= MIME-Version: 1.0 Received: by 10.213.12.207 with HTTP; Thu, 8 Apr 2010 03:48:59 -0700 (PDT) Date: Thu, 8 Apr 2010 12:48:59 +0200 Received: by 10.213.44.129 with SMTP id a1mr34268ebf.37.1270723739043; Thu, 08 Apr 2010 03:48:59 -0700 (PDT) Message-ID: To: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: User Input Callback as a new security feature From: daniel.zulla@googlemail.com (daniel zulla) Hi, Take a look at the code example [1]. Why not giving programmers the possibility to init their scripts with a call, that tells exactly what data should be taken - like GET userid INT and GET password MIXED, or just POST domainid INT, or something like that. If there's data transmitted, the scripts doesn't need, why should we go on with execution? In my example, request_init would check if there is $_POST['userid'], $_POST['pass'], $_GET['userid'] or $_GET['pass'] and if userid is an integer, and pass is mixed. If that's all right, the script just goes on working. If not, and that's the clue, the callback function will be called, telling the user what's wrong. A feature like that would highly improve security. Programmers wouldn't even think about stupid solutions like getting all the $_POST data into an Array() and trying to quote it anymore. It's an advantage for readability too: You take a look on the code, and you just know exactly what's going on. When magic_quotes and register_globals will, finally, be killed in PHP6, this could be, finally, a real security feature, couldn't it? Greets, Daniel Zulla [1] Code Example: INT, pass => mixed), $callback->crap_transmitted, 1); ?> [...]