Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:50940 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98433 invoked from network); 9 Dec 2010 12:10:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Dec 2010 12:10:55 -0000 Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.160.42 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 209.85.160.42 mail-pw0-f42.google.com Received: from [209.85.160.42] ([209.85.160.42:47694] helo=mail-pw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CA/00-32433-E47C00D4 for ; Thu, 09 Dec 2010 07:10:54 -0500 Received: by pwj5 with SMTP id 5so590174pwj.29 for ; Thu, 09 Dec 2010 04:10:51 -0800 (PST) Received: by 10.142.57.19 with SMTP id f19mr3922916wfa.94.1291896294582; Thu, 09 Dec 2010 04:04:54 -0800 (PST) Received: from [10.107.235.86] ([166.205.138.225]) by mx.google.com with ESMTPS id w42sm2391534wfh.3.2010.12.09.04.04.51 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 09 Dec 2010 04:04:52 -0800 (PST) References: <4D00ABFE.5070403@hristov.com> Message-ID: <08DF04DF-74CE-4E4D-8A13-116A4834E9E2@lerdorf.com> To: Ferenc Kovacs In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: iPad Mail (7B405) Mime-Version: 1.0 (iPad Mail 7B405) Date: Thu, 9 Dec 2010 04:04:26 -0800 Cc: Pierre Joye , Andrey Hristov , PHP Internals List Subject: Re: [PHP-DEV] Deprecating "global" + $GLOBALS, making $_REQUEST, $_GET, $_POST read-only From: rasmus@lerdorf.com (Rasmus Lerdorf) On Dec 9, 2010, at 3:34, Ferenc Kovacs wrote: > On Thu, Dec 9, 2010 at 12:15 PM, Pierre Joye = wrote: >=20 >> hi, >>=20 >> As far as I remember we discussed that already back to the php> mention it> discussions. It was not accepted because of the little >> gains in regard to the major BC breaks. >>=20 >> However I would prefer, as far as it is technically possible, >> deprecate their usage (notices/warnings) and promote filter usage >> instead. The filter API can also be improved to match what we can = find >> in other platform (perl's cgi module for example is quite good) and >> make the input data processing even more user-friendly. >>=20 >> Cheers, >>=20 >>=20 > yeah, to throw in something: > I like the Safe levels and the tainted support in ruby: > http://www.ruby-doc.org/docs/ProgrammingRuby/html/taint.html >=20 > and I = like the > idea that Inspekt provides: > http://funkatron.github.com/inspekt/ > > "Inspekt acts as a firewall API between user input and the rest of the > application. It takes PHP superglobal arrays, encapsulates their data = in an > "cage" object, and destroys the original superglobal. Data can then be > retrieved from the input data object using a variety of accessor = methods > that apply filtering, or the data can be checked against validation = methods. > Raw data can only be accessed via a 'getRaw()' method, forcing the = developer > to show clear intent." >=20 > I like the explicitness of the filtering, but I think that we should = allow > the developers to decide whether to use it or not. You just described exactly how the filter extension works when you = enable a default filter. -Rasmus=