Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:53493
Return-Path: <h.reindl@thelounge.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79976 invoked from network); 21 Jun 2011 17:51:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jun 2011 17:51:52 -0000
Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender)
X-PHP-List-Original-Sender: h.reindl@thelounge.net
X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Windows 98 (1)
Received: from [91.118.73.15] ([91.118.73.15:48411] helo=mail.thelounge.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 58/71-03418-63AD00E4 for <internals@lists.php.net>; Tue, 21 Jun 2011 13:51:51 -0400
Received: from srv-rhsoft.rhsoft.net (openvpn-241.thelounge.net [10.0.0.241])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.thelounge.net (Postfix) with ESMTPSA id 5313D99
	for <internals@lists.php.net>; Tue, 21 Jun 2011 19:51:48 +0200 (CEST)
Message-ID: <4E00DA33.9040504@thelounge.net>
Date: Tue, 21 Jun 2011 19:51:47 +0200
Organization: the lounge interactive design
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110428 Fedora/3.1.10-1.fc15 Lightning/1.0b3pre Thunderbird/3.1.10
MIME-Version: 1.0
To: internals@lists.php.net
References: <BANLkTi=qbj_=dmNv__RN4LkDY4GgbTtGYQ@mail.gmail.com>   	<BANLkTiktU3Wau1d6DJt8NgKorBrZm1k=HA@mail.gmail.com>   	<A633CF2D7C7BED41B41F1E64F25507B806048849A2@MAILR001.mail.lan>   	<4DFF7A12.8060808@sugarcrm.com>   	<alpine.DEB.2.02.1106211152240.3774@whisky>   	<BANLkTikTRmc9k7dz3k2DH6LBiU3aA46LPA@mail.gmail.com>   	<4E00818C.7040201@lsces.co.uk>   	<BANLkTi=pKXghoh=9HVhT-uNVw9RaSgVTJg@mail.gmail.com>   	<4E008EA3.4000403@lsces.co.uk>   	<A633CF2D7C7BED41B41F1E64F25507B80604884A3D@MAILR001.mail.lan>   	<41269.5975f3c3.1308671739.nsm@avilys.eik.lt>   	<4E00C370.9040803@thelounge.net>   	<BANLkTi=XGwMdcRo_qjf7KRuRQ9uCWHAMUQ@mail.gmail.com>   	<4E00C5D0.9020302@thelounge.net> <57392.5975f3c3.1308676323.nsm@avilys.eik.lt>
In-Reply-To: <57392.5975f3c3.1308676323.nsm@avilys.eik.lt>
X-Enigmail-Version: 1.1.2
OpenPGP: id=7F780279;
	url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig4765127CFE7483F2076C4B1E"
Subject: Re: [PHP-DEV] foreach() for strings
From: h.reindl@thelounge.net (Reindl Harald)

--------------enig4765127CFE7483F2076C4B1E
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable



Am 21.06.2011 19:12, schrieb Tomas Kuliavas:
>>>> and this naive attitude is the root of most security problems!
>>>>
>>>> why do you believe that every client submission is coming over
>>>> your form or generally over anything you can control?
>>>>
>>>>
>>> that doesn't matter here, Tomas just corrected John, that his stateme=
nt
>>> that
>>> chrome will always use utf-8 encoding for some special character isn'=
t
>>> true.
>>> browsers will adhere the
>>> http://www.w3.org/TR/html401/interact/forms.html#adef-accept-charset
>>> of course you can't trust user input, and you have to validate it, bu=
t
>>> this
>>> has nothing to do with this topic
>>
>> it has
>>
>> how du you validate input if the string-functions having undefined res=
ults
>> which you probably use for your validation?
>=20
> I've never said that he should trust user input. I've only said that hi=
s
> valid user inputs depend on html form format.

and i told you that this in the real world is utopic
there is a world outside of forms

show me FIVE php-apps which are using "accept-charset"

not one of mine - they do and even there i can not be sure that
all of the thousands of scipts/websites i wrote use it realy everywhere

> utf-8 is strict format. If you expect utf-8 and someone submits somethi=
ng
> else, you can tell that without any string function. You can verify utf=
-8
> strings in pcre. You can convert nbspace to regular space, if you want.=

> utf-8 does not have any byte sequence that can collide with nbspace byt=
e
> sequence in utf-8

show me a practicable way to detect if some input data contains UTF8
mb_string-functions are out of the game because there are many servers
even of real big companies where they are not available

so the problem is simply that you can not really write portable and well
performing code that is aware of UTF8





--------------enig4765127CFE7483F2076C4B1E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4A2jMACgkQhmBjz394Anlb9wCeJAlA+xabF1xTXXzD+jvASPuZ
ML8AoIyvfPej+M8ifAy0LSLu0Ev2+Axl
=Oylv
-----END PGP SIGNATURE-----

--------------enig4765127CFE7483F2076C4B1E--