Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:53486 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63477 invoked from network); 21 Jun 2011 16:14:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jun 2011 16:14:45 -0000 Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: h.reindl@thelounge.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Windows 98 (1) Received: from [91.118.73.15] ([91.118.73.15:39951] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E1/81-54221-373C00E4 for ; Tue, 21 Jun 2011 12:14:43 -0400 Received: from srv-rhsoft.rhsoft.net (openvpn-241.thelounge.net [10.0.0.241]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.thelounge.net (Postfix) with ESMTPSA id 74CA699 for ; Tue, 21 Jun 2011 18:14:40 +0200 (CEST) Message-ID: <4E00C370.9040803@thelounge.net> Date: Tue, 21 Jun 2011 18:14:40 +0200 Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc15 Lightning/1.0b3pre Thunderbird/3.1.10 MIME-Version: 1.0 To: internals@lists.php.net References: <4DFF7A12.8060808@sugarcrm.com> <4E00818C.7040201@lsces.co.uk> <4E008EA3.4000403@lsces.co.uk> <41269.5975f3c3.1308671739.nsm@avilys.eik.lt> In-Reply-To: <41269.5975f3c3.1308671739.nsm@avilys.eik.lt> X-Enigmail-Version: 1.1.2 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig6B80B013B4E18F7B6FCB2F6E" Subject: Re: [PHP-DEV] foreach() for strings From: h.reindl@thelounge.net (Reindl Harald) --------------enig6B80B013B4E18F7B6FCB2F6E Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 21.06.2011 17:55, schrieb Tomas Kuliavas: > They submit it in utf-8 only if your html form allows them to do that o= r > they don't follow html specification and try to exploit your form. Set > form input charset to iso-8859-1 and your nbspace will take only one by= te. and this naive attitude is the root of most security problems! why do you believe that every client submission is coming over your form or generally over anything you can control? --------------enig6B80B013B4E18F7B6FCB2F6E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4Aw3AACgkQhmBjz394AnkNGwCgnOQbJPmfC8LaDm2CXDCrTyig ZA8AmgPyLIMjxFza8/Hb4/rstYBFxtNt =F/wb -----END PGP SIGNATURE----- --------------enig6B80B013B4E18F7B6FCB2F6E--