Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:47836 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84253 invoked from network); 8 Apr 2010 10:51:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Apr 2010 10:51:23 -0000 Authentication-Results: pb1.pair.com header.from=mls@pooteeweet.org; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=mls@pooteeweet.org; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain pooteeweet.org from 188.40.37.16 cause and error) X-PHP-List-Original-Sender: mls@pooteeweet.org X-Host-Fingerprint: 188.40.37.16 hq1.backendmedia.com Linux 2.6 Received: from [188.40.37.16] ([188.40.37.16:59136] helo=hq1.backendmedia.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 98/64-50768-925BDBB4 for ; Thu, 08 Apr 2010 06:51:22 -0400 Received: from localhost (unknown [127.0.0.1]) by hq1.backendmedia.com (Postfix) with ESMTP id 81B5A2E30004; Thu, 8 Apr 2010 10:51:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at backendmedia.com Received: from hq1.backendmedia.com ([127.0.0.1]) by localhost (hq1.backendmedia.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2estDtxO38Lq; Thu, 8 Apr 2010 12:51:17 +0200 (CEST) Received: from [192.168.0.151] (217-162-131-234.dclient.hispeed.ch [217.162.131.234]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: mls@pooteeweet.org) by hq1.backendmedia.com (Postfix) with ESMTPSA id 21F0A2E30003; Thu, 8 Apr 2010 12:51:17 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1078) Content-Type: text/plain; charset=us-ascii In-Reply-To: Date: Thu, 8 Apr 2010 12:51:16 +0200 Cc: internals@lists.php.net Content-Transfer-Encoding: 7bit Message-ID: <65CA45D8-4D33-412E-AD72-BD592B074E8B@pooteeweet.org> References: To: daniel zulla X-Mailer: Apple Mail (2.1078) Subject: Re: [PHP-DEV] User Input Callback as a new security feature From: mls@pooteeweet.org (Lukas Kahwe Smith) On 08.04.2010, at 12:48, daniel zulla wrote: > Hi, > Take a look at the code example [1]. > Why not giving programmers the possibility to init their scripts with > a call, that tells exactly what data should be taken - like GET userid > INT and GET password MIXED, or just POST domainid INT, or something > like that. > > If there's data transmitted, the scripts doesn't need, why should we > go on with execution? > > In my example, request_init would check if there is $_POST['userid'], > $_POST['pass'], $_GET['userid'] or $_GET['pass'] and if userid is an > integer, and pass is mixed. > > If that's all right, the script just goes on working. > If not, and that's the clue, the callback function will be called, > telling the user what's wrong. > > A feature like that would highly improve security. Programmers > wouldn't even think about stupid solutions like getting all the $_POST > data into an Array() and trying to quote it anymore. It's an advantage > for readability too: > You take a look on the code, and you just know exactly what's going on. > > When magic_quotes and register_globals will, finally, be killed in > PHP6, this could be, finally, a real security feature, couldn't it? > > Greets, > Daniel Zulla > > [1] Code Example: > request_init(Array(POST, GET), Array(userid => INT, pass => > mixed), $callback->crap_transmitted, 1); > ?> > are you aware of the filter extension: http://php.net/filter regards, Lukas Kahwe Smith mls@pooteeweet.org