Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:53488 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66403 invoked from network); 21 Jun 2011 16:24:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jun 2011 16:24:51 -0000 Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: h.reindl@thelounge.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Windows 98 (1) Received: from [91.118.73.15] ([91.118.73.15:65031] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9E/12-54221-3D5C00E4 for ; Tue, 21 Jun 2011 12:24:51 -0400 Received: from srv-rhsoft.rhsoft.net (openvpn-241.thelounge.net [10.0.0.241]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.thelounge.net (Postfix) with ESMTPSA id 874689A for ; Tue, 21 Jun 2011 18:24:48 +0200 (CEST) Message-ID: <4E00C5D0.9020302@thelounge.net> Date: Tue, 21 Jun 2011 18:24:48 +0200 Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc15 Lightning/1.0b3pre Thunderbird/3.1.10 MIME-Version: 1.0 To: internals@lists.php.net References: <4DFF7A12.8060808@sugarcrm.com> <4E00818C.7040201@lsces.co.uk> <4E008EA3.4000403@lsces.co.uk> <41269.5975f3c3.1308671739.nsm@avilys.eik.lt> <4E00C370.9040803@thelounge.net> In-Reply-To: X-Enigmail-Version: 1.1.2 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig371D7F604EABD8C95243FC0C" Subject: Re: [PHP-DEV] foreach() for strings From: h.reindl@thelounge.net (Reindl Harald) --------------enig371D7F604EABD8C95243FC0C Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 21.06.2011 18:22, schrieb Ferenc Kovacs: > On Tue, Jun 21, 2011 at 6:14 PM, Reindl Harald = wrote: >=20 >> >> >> Am 21.06.2011 17:55, schrieb Tomas Kuliavas: >> >>> They submit it in utf-8 only if your html form allows them to do that= or >>> they don't follow html specification and try to exploit your form. Se= t >>> form input charset to iso-8859-1 and your nbspace will take only one >> byte. >> >> and this naive attitude is the root of most security problems! >> >> why do you believe that every client submission is coming over >> your form or generally over anything you can control? >> >> > that doesn't matter here, Tomas just corrected John, that his statement= that > chrome will always use utf-8 encoding for some special character isn't = true. > browsers will adhere the > http://www.w3.org/TR/html401/interact/forms.html#adef-accept-charset > of course you can't trust user input, and you have to validate it, but = this > has nothing to do with this topic it has how du you validate input if the string-functions having undefined result= s which you probably use for your validation? --------------enig371D7F604EABD8C95243FC0C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk4AxdAACgkQhmBjz394Anma2ACfY2Oyb6Pk4YJq6k7as9POqgPz MQMAnRe2k55HP6nmvHRk1PWq/8MIsQHz =TmP0 -----END PGP SIGNATURE----- --------------enig371D7F604EABD8C95243FC0C--