Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:53490
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70230 invoked from network); 21 Jun 2011 16:42:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jun 2011 16:42:44 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.42 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.218.42 mail-yi0-f42.google.com  
Received: from [209.85.218.42] ([209.85.218.42:42498] helo=mail-yi0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 42/00-03418-30AC00E4 for <internals@lists.php.net>; Tue, 21 Jun 2011 12:42:43 -0400
Received: by yih10 with SMTP id 10so3146456yih.29
        for <internals@lists.php.net>; Tue, 21 Jun 2011 09:42:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=Yc3BOe6Pj57rIWUH3UBAqmPME8/EaCEH3CCwSOiQNEs=;
        b=I0xYzfb8vjw0aGBiPvdDqprpwk5b+pIi61yPv+OWbI/fyDerVoUk4rNQuQIqyEjt4I
         J97oqW120YGCQJRyK3uiYXvvieYa56wNliVMMtv4yxKsvK3Ccbg47DFLCrJy4hL3aL8b
         MczC5XiERLxoj1cChdjoj5cUrXSD1LlUhWNxo=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        b=PK3JtHb8QuBHwPOEHTGEkdVgK40/yTxMomYH5eb5hzvfxAVNyubEUZNIThcjBZdRT3
         1wiF9YR/jk7SrAdBLBwe1RspzAJoV6QYCT4Qeq8OzHuAtqDtwU05pB/WtjljlyywEmc9
         YDGxP9OzGBg6Cq5lArp3Py1XDGVGzT6pXK5fY=
MIME-Version: 1.0
Received: by 10.236.138.161 with SMTP id a21mr9274690yhj.49.1308674561098;
 Tue, 21 Jun 2011 09:42:41 -0700 (PDT)
Received: by 10.147.99.3 with HTTP; Tue, 21 Jun 2011 09:42:40 -0700 (PDT)
In-Reply-To: <4E00C5D0.9020302@thelounge.net>
References: <BANLkTi=qbj_=dmNv__RN4LkDY4GgbTtGYQ@mail.gmail.com>
	<BANLkTiktU3Wau1d6DJt8NgKorBrZm1k=HA@mail.gmail.com>
	<A633CF2D7C7BED41B41F1E64F25507B806048849A2@MAILR001.mail.lan>
	<4DFF7A12.8060808@sugarcrm.com>
	<alpine.DEB.2.02.1106211152240.3774@whisky>
	<BANLkTikTRmc9k7dz3k2DH6LBiU3aA46LPA@mail.gmail.com>
	<4E00818C.7040201@lsces.co.uk>
	<BANLkTi=pKXghoh=9HVhT-uNVw9RaSgVTJg@mail.gmail.com>
	<4E008EA3.4000403@lsces.co.uk>
	<A633CF2D7C7BED41B41F1E64F25507B80604884A3D@MAILR001.mail.lan>
	<41269.5975f3c3.1308671739.nsm@avilys.eik.lt>
	<4E00C370.9040803@thelounge.net>
	<BANLkTi=XGwMdcRo_qjf7KRuRQ9uCWHAMUQ@mail.gmail.com>
	<4E00C5D0.9020302@thelounge.net>
Date: Tue, 21 Jun 2011 18:42:40 +0200
Message-ID: <BANLkTik1agjTUZi=jBR8oDfcgwkxnZMxoQ@mail.gmail.com>
To: Reindl Harald <h.reindl@thelounge.net>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=20cf303b40cf57452e04a63b8a62
Subject: Re: [PHP-DEV] foreach() for strings
From: tyra3l@gmail.com (Ferenc Kovacs)

--20cf303b40cf57452e04a63b8a62
Content-Type: text/plain; charset=UTF-8

On Tue, Jun 21, 2011 at 6:24 PM, Reindl Harald <h.reindl@thelounge.net>wrote:

>
>
> Am 21.06.2011 18:22, schrieb Ferenc Kovacs:
> > On Tue, Jun 21, 2011 at 6:14 PM, Reindl Harald <h.reindl@thelounge.net
> >wrote:
> >
> >>
> >>
> >> Am 21.06.2011 17:55, schrieb Tomas Kuliavas:
> >>
> >>> They submit it in utf-8 only if your html form allows them to do that
> or
> >>> they don't follow html specification and try to exploit your form. Set
> >>> form input charset to iso-8859-1 and your nbspace will take only one
> >> byte.
> >>
> >> and this naive attitude is the root of most security problems!
> >>
> >> why do you believe that every client submission is coming over
> >> your form or generally over anything you can control?
> >>
> >>
> > that doesn't matter here, Tomas just corrected John, that his statement
> that
> > chrome will always use utf-8 encoding for some special character isn't
> true.
> > browsers will adhere the
> > http://www.w3.org/TR/html401/interact/forms.html#adef-accept-charset
> > of course you can't trust user input, and you have to validate it, but
> this
> > has nothing to do with this topic
>
> it has
>
> how du you validate input if the string-functions having undefined results
> which you probably use for your validation?
>
>
what do you mean by undefined?
if you use iso-8859-1 in your whole app and database, it doesn't matter from
the security POV if somebody sends you crafted utf-8 data.
if you mix up your encodings or you don't escape with the proper encoding,
then that can get hit you (
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
 )

the multiby support in the php core isn't undefined, just unsupported. :/
use intl or mbstring for handling multibyte encodings.

Tyrael

--20cf303b40cf57452e04a63b8a62--