Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:53487 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 65072 invoked from network); 21 Jun 2011 16:22:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jun 2011 16:22:22 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com Received: from [209.85.213.170] ([209.85.213.170:51935] helo=mail-yx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 53/D1-54221-D35C00E4 for ; Tue, 21 Jun 2011 12:22:22 -0400 Received: by yxk8 with SMTP id 8so3136676yxk.29 for ; Tue, 21 Jun 2011 09:22:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=6aIktifWBPORDVS8oRMbh8p1yzCjQmuvB32HkwXu89o=; b=QuzRynCM0LB776m8CyzOwdZ5pIX9lerCGnpmuXmkywEluvchIvBQfZb4KWJR7fvPcs 0SjLS7gOHXAcX1TcYFvH61B3Oc6Yypt4j72Muqshoca7xAv+J5Sd1JnmEjhWuLAiqXsJ PwUPJ6NvPw4BB9zVPzdjuAG5hHDIyx/1okLfw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=FdJpZqunNhH5oiWL3QUeOt59/4G/RHYx3lvGUXd1dJgh2RL9imEFK+kuiSWFUuvVX1 Zx160cBKiqcNMpc8S3/8FkFJcDv3R4iPcU/4og/alJCAmTQTrXU7Sg1oi2XmTGrlEDEy kC/CwyaiNnw3veqYkjaz/4Qn5fND3g+dO9zbo= MIME-Version: 1.0 Received: by 10.236.138.161 with SMTP id a21mr9243722yhj.49.1308673339051; Tue, 21 Jun 2011 09:22:19 -0700 (PDT) Received: by 10.147.99.3 with HTTP; Tue, 21 Jun 2011 09:22:18 -0700 (PDT) In-Reply-To: <4E00C370.9040803@thelounge.net> References: <4DFF7A12.8060808@sugarcrm.com> <4E00818C.7040201@lsces.co.uk> <4E008EA3.4000403@lsces.co.uk> <41269.5975f3c3.1308671739.nsm@avilys.eik.lt> <4E00C370.9040803@thelounge.net> Date: Tue, 21 Jun 2011 18:22:18 +0200 Message-ID: To: Reindl Harald Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary=20cf303b40cf804fae04a63b41a4 Subject: Re: [PHP-DEV] foreach() for strings From: tyra3l@gmail.com (Ferenc Kovacs) --20cf303b40cf804fae04a63b41a4 Content-Type: text/plain; charset=UTF-8 On Tue, Jun 21, 2011 at 6:14 PM, Reindl Harald wrote: > > > Am 21.06.2011 17:55, schrieb Tomas Kuliavas: > > > They submit it in utf-8 only if your html form allows them to do that or > > they don't follow html specification and try to exploit your form. Set > > form input charset to iso-8859-1 and your nbspace will take only one > byte. > > and this naive attitude is the root of most security problems! > > why do you believe that every client submission is coming over > your form or generally over anything you can control? > > that doesn't matter here, Tomas just corrected John, that his statement that chrome will always use utf-8 encoding for some special character isn't true. browsers will adhere the http://www.w3.org/TR/html401/interact/forms.html#adef-accept-charset of course you can't trust user input, and you have to validate it, but this has nothing to do with this topic. Tyrael --20cf303b40cf804fae04a63b41a4--