Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72834 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 30444 invoked from network); 26 Feb 2014 22:29:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2014 22:29:07 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.54 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.54 mail-la0-f54.google.com Received: from [209.85.215.54] ([209.85.215.54:45926] helo=mail-la0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7D/46-33783-2BA6E035 for ; Wed, 26 Feb 2014 17:29:07 -0500 Received: by mail-la0-f54.google.com with SMTP id mc6so1135726lab.27 for ; Wed, 26 Feb 2014 14:29:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=m2OQg+KRiEtE7TI7MJNUYllRnVDh5vjTEjC7PGkRNHw=; b=oKnlbJ/ZpSvAgLsOylqKF7ImW4NIoTdhDLrdZletYDEciCeHk98Lvd3url9R9dbUGn qIzsdUnC0F3A6te9a1aUKVlXx8euhLOLVofnhsM1E4FTQ1AMqu8OC7kmVnReiLP4sFIZ vfVk4bhBGpvLyKdhctrpXcQngQrd4y8ftdcqgMujz1Gfks+cTDYDDYcfpKmVgkELRoXi NINjRChc7rMTKLGt+g7PACMo5mkM+9R/nCA+rPppnbRw/AtXwlhpLXI7Eaq2cwRkO8au eDUgkmA27CrFotNQHwGToDl6Whmwe4GPgNYeY56Go0KMiUlq+bC3t6V3zCHzQ8x9CmvP 2iAg== X-Received: by 10.112.72.40 with SMTP id a8mr679lbv.68.1393453743875; Wed, 26 Feb 2014 14:29:03 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.205.102 with HTTP; Wed, 26 Feb 2014 14:28:23 -0800 (PST) In-Reply-To: <530DDEC6.9010901@lsces.co.uk> References: <530C3C7B.8080907@sugarcrm.com> <530C77F8.2060809@sugarcrm.com> <1393328380.5233.45.camel@guybrush> <530DADC7.2070302@lsces.co.uk> <530DDEC6.9010901@lsces.co.uk> Date: Thu, 27 Feb 2014 07:28:23 +0900 X-Google-Sender-Auth: 9j5IhMuyngLMEr-uV1hfOQCdeCk Message-ID: To: Lester Caine Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c23e2e6a296404f356bb5c Subject: Re: [PHP-DEV] Resolution for ver_export()/addslashes() encoding based script execution attack? From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c23e2e6a296404f356bb5c Content-Type: text/plain; charset=UTF-8 Hi Lester, On Wed, Feb 26, 2014 at 9:32 PM, Lester Caine wrote: > Yasuo Ohgaki wrote: > >> As you know, all databases' escaping functions have encoding >> parameter. >> PostgreSQL uses encoding parameter stored in db connection >> structure. This >> is the reason why pg_escape_string() has optional database base >> connection >> parameter for escaping. >> >> >> On the whole any database access I'm doing with Firebird is done using >> parameters which are handled in the database connection rather than >> having >> to worry about many of these sorts of 'protections'. The result for >> me is >> that I don't have to worry about many of the problems the more lax >> handling >> of data in MySQL can create. But the more important thing here is >> that I've >> not used a 'locale' other than UTF8 for websites for many years and >> so the >> whole underlying structure needs fixing rather than trying to patch >> small >> areas that are better handled by doing the job correctly in the first >> place! >> >> >> We cannot force users to use Unicode for database/file/etc ;) >> I'm not proposing use of locale, but new escape API that support multibyte >> encoding. >> > > My point Yasuo is that I think the reason this has been rejected is simply > because there needs to be a more comprehensive review of how 'multi_byte' > characters are handled? There needs to be at least some agreement moving > forward if PHP should be made fully UTF-8 complaint or the alternative > 'ASCII only' for code, so that perhaps 'mb_' SHOULD be the only way to > handle multi byte strings? Short term fixes are just exacerbating the real > problem? Also I don't see how the RFC addressed the problem anyway. While I > use UTF-8 output exclusively I've not had to resort to mbstring extension > to do so yet so would not even use the extra functions in normal production. IMO. PHP core should only support UTF-8 with simple/fast Unicode library. Use UTF-8 internally, allow any encoding for I/O. This will makes many users life easier. > so that perhaps 'mb_' SHOULD be the only way to handle multi byte strings? I agree mostly. It would be feasible solution for now. I don't care what module/feature is going to handle multibyte strings, but we need multiple encoding support for I/O related functions at least. Escape function is one of them. Escaped data is escaped to be outputted somewhere. e.g. That's the reason why we have multiple encoding support for htmlspecialchars(). (We may force to generate all text with UTF-8, then convert when it is outputted, but this is BC.) We cannot force users to use "\n" as line break. Like line break, we cannot force users to specific encoding for I/O. OSX filename is one of them, too. We cannot force OSX to use NFC file name. There are things like these. > Short term fixes are just exacerbating the real problem? I don't think so. It's just an simple addition to mbstirng. We already have various mess around multibyte support. e.g. When we need to know multbyte character length, there is only mb_strlen(). Adding required function for security weighs. Besides, users who don't use mb_*() do not have to care at all. Framework developers that support i18n should care, though. IMHO, both short and long term resolution is good enough. It does not harm nor affect future PHP development at all. It's a module anyway. > I don't see how the RFC addressed the problem anyway. Please research how databases were fixed this issue many years ago. I don't remember well, but I guess it was around 2005. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c23e2e6a296404f356bb5c--