Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63153 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76579 invoked from network); 19 Sep 2012 16:57:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2012 16:57:59 -0000 Authentication-Results: pb1.pair.com smtp.mail=mike503@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=mike503@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender) X-PHP-List-Original-Sender: mike503@gmail.com X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com Received: from [209.85.160.42] ([209.85.160.42:34984] helo=mail-pb0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B1/9B-15057-699F9505 for ; Wed, 19 Sep 2012 12:57:59 -0400 Received: by pbbrp8 with SMTP id rp8so2904249pbb.29 for ; Wed, 19 Sep 2012 09:57:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=CmhAz8lpFmtQZXL6GFZrofBUctw+tSVnmX/GNx2VMpg=; b=Ac7yXIUB/UpoxsEEckaS0CFuESbBXphXsq3KTN13Fpvtsd8zrCXf5aFuNQzl5lftUF IonSSlmGWY4ko1AxaMox/YSKrUdW4TY7AgNjNj5GemE1IJWJx7TfAy+Fze2IeNWuXb2x 37ktGDJ1ucAiRjv+Oap55LFp0CkyQvDi3Hrvhc0oa4cPmNPT/kbljNoj9nUerZwqO70b ctTkoGWOpl+oLD6PKM4PsgK640b/EwQ8v9F5UCTcr/m/OB6+IhrEGADXQM8SVjkdA5gy //NyjhIe+5f4yzdfypYTFh76BBvorCDq4GA6PV5rD63ItXC00KXkflY9N8EPxy8bnJ7T Iwow== MIME-Version: 1.0 Received: by 10.68.229.73 with SMTP id so9mr9166893pbc.66.1348073876225; Wed, 19 Sep 2012 09:57:56 -0700 (PDT) Received: by 10.68.12.167 with HTTP; Wed, 19 Sep 2012 09:57:56 -0700 (PDT) In-Reply-To: References: <0960EAA5-17FF-4E0F-9DDE-BB93D13EA02B@gmail.com> <72B22976-6F00-4EF5-88B3-140576CFE4E7@gmail.com> <5059F033.80706@ajf.me> Date: Wed, 19 Sep 2012 09:57:56 -0700 Message-ID: To: Michael Stowe Cc: Andrew Faulds , Lars Strojny , Leigh , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class From: mike503@gmail.com (Michael Shadle) On Wed, Sep 19, 2012 at 9:21 AM, Michael Stowe wrote: > Andrew, I'm the biggest advocate of OOP out there, but the purpose of this > is to provide a nice convenient layer for all developers to use to properly > escape code and increase security within their applications. As such, we > need to cater to the resistance...err, I mean Procedural Purists and those > who are beginning PHP development and are not yet comfortable with OOP. If you want to play with OO all day, then use Java. PHP was built on procedural, and now all you OO fanboys are going nuts with it. :) On a short-lived web request I see no reason to complicate and obfuscate the code with OO. This is becoming religious now, and a fight I will probably lose, but think about PHP core, it does not need to actually start having "OO only" stuff, especially when we're talking about one-line functions. Next you'll start saying "why can't I do $string = new String(); $string->input($input); $string->replace($output);" or something, instead of str_replace. You can always build something from a basic simple foundation, which is how PHP's OO is built anyway. Don't complicate things because of personal preference. There is no reason it cannot stay a simple function call or two. Wrap that in as many classes as you wish on your own time. :)