Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:53492 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76149 invoked from network); 21 Jun 2011 17:12:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jun 2011 17:12:07 -0000 Authentication-Results: pb1.pair.com header.from=tokul@users.sourceforge.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=tokul@users.sourceforge.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain users.sourceforge.net from 77.240.252.9 cause and error) X-PHP-List-Original-Sender: tokul@users.sourceforge.net X-Host-Fingerprint: 77.240.252.9 avilys.eik.lt Linux 2.6 Received: from [77.240.252.9] ([77.240.252.9:34037] helo=avilys.eik.lt) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3E/01-03418-6E0D00E4 for ; Tue, 21 Jun 2011 13:12:07 -0400 Received: from avilys.eik.lt (avilys.local [127.0.0.1]) by avilys.eik.lt (Postfix) with ESMTP id 4FBD01F527F for ; Tue, 21 Jun 2011 20:12:03 +0300 (EEST) Received: from 89.117.243.195 (NaSMail authenticated user tomas@topolis.lt) by avilys.eik.lt with HTTP; Tue, 21 Jun 2011 20:12:03 +0300 (EEST) Message-ID: <57392.5975f3c3.1308676323.nsm@avilys.eik.lt> In-Reply-To: <4E00C5D0.9020302@thelounge.net> References: <4DFF7A12.8060808@sugarcrm.com> <4E00818C.7040201@lsces.co.uk> <4E008EA3.4000403@lsces.co.uk> <41269.5975f3c3.1308671739.nsm@avilys.eik.lt> <4E00C370.9040803@thelounge.net> <4E00C5D0.9020302@thelounge.net> Date: Tue, 21 Jun 2011 20:12:03 +0300 (EEST) To: internals@lists.php.net User-Agent: NaSMail/1.7.1 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: =?utf-8?Q?Re:_[PHP-DEV]_foreach=28=29_for_strings?= From: tokul@users.sourceforge.net ("Tomas Kuliavas") 2011.06.21 19:24 Reindl Harald rašė: > > > Am 21.06.2011 18:22, schrieb Ferenc Kovacs: >> On Tue, Jun 21, 2011 at 6:14 PM, Reindl Harald >> wrote: >> >>> >>> >>> Am 21.06.2011 17:55, schrieb Tomas Kuliavas: >>> >>>> They submit it in utf-8 only if your html form allows them to do that >>>> or >>>> they don't follow html specification and try to exploit your form. Set >>>> form input charset to iso-8859-1 and your nbspace will take only one >>> byte. >>> >>> and this naive attitude is the root of most security problems! >>> >>> why do you believe that every client submission is coming over >>> your form or generally over anything you can control? >>> >>> >> that doesn't matter here, Tomas just corrected John, that his statement >> that >> chrome will always use utf-8 encoding for some special character isn't >> true. >> browsers will adhere the >> http://www.w3.org/TR/html401/interact/forms.html#adef-accept-charset >> of course you can't trust user input, and you have to validate it, but >> this >> has nothing to do with this topic > > it has > > how du you validate input if the string-functions having undefined results > which you probably use for your validation? I've never said that he should trust user input. I've only said that his valid user inputs depend on html form format. utf-8 is strict format. If you expect utf-8 and someone submits something else, you can tell that without any string function. You can verify utf-8 strings in pcre. You can convert nbspace to regular space, if you want. utf-8 does not have any byte sequence that can collide with nbspace byte sequence in utf-8. -- Tomas