Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:51046
Return-Path: <glopes@nebm.ist.utl.pt>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33916 invoked from network); 16 Dec 2010 13:10:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Dec 2010 13:10:03 -0000
Authentication-Results: pb1.pair.com smtp.mail=glopes@nebm.ist.utl.pt; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=glopes@nebm.ist.utl.pt; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain nebm.ist.utl.pt from 193.136.128.21 cause and error)
X-PHP-List-Original-Sender: glopes@nebm.ist.utl.pt
X-Host-Fingerprint: 193.136.128.21 smtp1.ist.utl.pt Linux 2.6
Received: from [193.136.128.21] ([193.136.128.21:54272] helo=smtp1.ist.utl.pt)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 32/01-28099-8AF0A0D4 for <internals@lists.php.net>; Thu, 16 Dec 2010 08:10:02 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp1.ist.utl.pt (Postfix) with ESMTP id E522770003D7;
	Thu, 16 Dec 2010 13:09:57 +0000 (WET)
X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt
Received: from smtp1.ist.utl.pt ([127.0.0.1])
	by localhost (smtp1.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025)
	with LMTP id eHFtnAfbBRLf; Thu, 16 Dec 2010 13:09:57 +0000 (WET)
Received: from nebm.ist.utl.pt (unknown [IPv6:2001:690:2100:4::58])
	by smtp1.ist.utl.pt (Postfix) with ESMTP id 5049A700043C;
	Thu, 16 Dec 2010 13:09:57 +0000 (WET)
Received: from localhost ([127.0.0.1] helo=nebm.ist.utl.pt)
	by nebm.ist.utl.pt with esmtp (Exim 4.69)
	(envelope-from <glopes@nebm.ist.utl.pt>)
	id 1PTDan-0003cA-8n; Thu, 16 Dec 2010 13:09:57 +0000
MIME-Version: 1.0
Date: Thu, 16 Dec 2010 13:09:57 +0000
To: Pierre Joye <pierre.php@gmail.com>
Cc: Ferenc Kovacs <info@tyrael.hu>, <internals@lists.php.net>
Organization: =?UTF-8?Q?N=C3=BAcleo_de_Engenharia_Biom=C3=A9dica_do_Instituto_Superior_T=C3=A9cnico?=
In-Reply-To: <AANLkTikY7OUZJSfkHXr2jTnA3_c0SaQ6u=d1qhgn6reF@mail.gmail.com>
References: <op.vnb0shjiidpuyk@damnation.dulce.lo.geleia.net> <op.vngrk2s3idpuyk@damnation.dulce.lo.geleia.net> <AANLkTintNBB_NGbxWNyGFDm5sJh1_L+1PqaGty45GJjG@mail.gmail.com> <AANLkTi=yk3fkz5Q-8Etw88mg1UDm-oLzB7wz0e65zZRB@mail.gmail.com> <AANLkTikY7OUZJSfkHXr2jTnA3_c0SaQ6u=d1qhgn6reF@mail.gmail.com>
Message-ID: <6b2ba5e56d64910c49bb431ba1e36e17@nebm.ist.utl.pt>
X-Sender: glopes@nebm.ist.utl.pt
User-Agent: RoundCube Webmail/0.3
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [PATCH] Add option to disable POST data processing
From: glopes@nebm.ist.utl.pt (Gustavo Lopes)

On Thu, 16 Dec 2010 12:47:43 -0000, Pierre Joye <pierre.php@gmail.com>
wrote:

As I said in IRC, I see no value in having an option that disables
accessing POST data completely (i.e. the behavior of
enable_post_data_reading=Off + disallowing reading it through
php://input).

With enable_post_data_reading=Off, the only way to access the data is
through php://input; if the script uses the wrapper to read the data is
because it presumably needs, or expects, such data. If the script doesn't
need it, it won't read php://input. Activating a putative option that
completely disabled reading POST data would break the first script and
would have no effect on the second. And it's not like there would be
performance benefits from introducing such as option.

More importantly, the enable_post_data_reading is to allow efficient
handling of POST data and access to raw POST data with multipart requests.
Adding an option that disables accessing POST data completely would not
help.

> On Thu, Dec 16, 2010 at 1:42 PM, Ferenc Kovacs <info@tyrael.hu> wrote:
>
>> So currently we didn't talk about security measures, but performance   

>> gains:
>> If somebody wants to write a script, which handles big file uploads,
but
>> only writes it to somewhere (to file, or another stream), then  
>> currently you have to allocate the memory for the post data twice(see  
>> the first email), which is very inefficient if you don't need the  
>> $_POST at all.
>
> yes, but that's something very confusing right now, the naming and the
> other ways to access POST data. The goal of this idea is a good thing
> to do, but the naming and its implementation are confusing (processing
> vs reading vs used at all).
>

I don't thinks it's that confusing. This new option just prevents PHP from
doing any automatic reading and processing of the POST data, leaving it
entirely on the hands of the programmer to that, if he wishes, through
php://input.

What is confusing is the different behavior of PHP with
$HTTP_RAW_POST_DATA and the influence always_populate_post_data and the
different handling of urlencoded vs multipart vs other content-type POST
requests vs non-POST requests with a request body.

-- 
Gustavo Lopes