It is not the goal to "block" but to prevent the usual processing of $_POST
when not required inside a valide POST request which will handle the input
differently.
Le 7 déc. 2010 23:36, "Tig" tigger.on@gmail.com a écrit :
If the objective is to 'block' POST data from getting to PHP, (in
apache) you can use:
http://httpd.apache.org/docs/2.0/mod/core.html#limit
No need to change / add anything to PHP.
-Tig
--
To unsubscribe, visit: http://www.php.net/...
Hi,
Don't have much knowledge about the internal workings of the engine, but I'm
wondering if it's possible to apply "lazy loading" to the $_POST variable,
so that processing only happens if and when it's requested.
That way you wouldn't need the ini setting.
It is not the goal to "block" but to prevent the usual processing of
$_POST
when not required inside a valide POST request which will handle the input
differently.Le 7 déc. 2010 23:36, "Tig" tigger.on@gmail.com a écrit :
If the objective is to 'block' POST data from getting to PHP, (in
apache) you can use:
http://httpd.apache.org/docs/2.0/mod/core.html#limitNo need to change / add anything to PHP.
-Tig
--
To unsubscribe, visit: http://www.php.net/...
On Wed, 08 Dec 2010 00:45:56 -0000, Tjerk Meesters
tjerk.meesters@gmail.com wrote:
Don't have much knowledge about the internal workings of the engine, but
I'm wondering if it's possible to apply "lazy loading" to the $_POST
variable, so that processing only happens if and when it's requested.That way you wouldn't need the ini setting.
In most cases, processing (=parsing) of the POST data already only occurs
when $_POST is requested; however, previously the data was already
entirely copied to two or three memory locations.
If you mean making it so that the data is only read and processed when
$_POST is requested, I suppose that would be possible, but I think it
would require significant code/architectural changes to PHP and to the
sapis. It would also raise other problems, including backwards
compatibility breaks, if we wanted the change to bring any benefit.
For instance, current scripts can, in POST requests, read any number of
times from php://input or $HTTP_RAW_POST_DATA (to simplify, let's say we
even let go $HTTP_RAW_POST_DATA). For this to be possible, you would have
to have the data in memory because you're reading from php://input the
first time, you can't know if it will be read a second time, so you either
break BC or keep everything in memory just in case there's a second read
-- and then you're where you started.
--
Gustavo Lopes
On Wed, 08 Dec 2010 00:45:56 -0000, Tjerk Meesters
tjerk.meesters@gmail.com wrote:Don't have much knowledge about the internal workings of the engine, but
I'm wondering if it's possible to apply "lazy loading" to the $_POST
variable, so that processing only happens if and when it's requested.That way you wouldn't need the ini setting.
In most cases, processing (=parsing) of the POST data already only occurs
when $_POST is requested; however, previously the data was already
entirely copied to two or three memory locations.If you mean making it so that the data is only read and processed when
$_POST is requested, I suppose that would be possible, but I think it
would require significant code/architectural changes to PHP and to the
sapis. It would also raise other problems, including backwards
compatibility breaks, if we wanted the change to bring any benefit.For instance, current scripts can, in POST requests, read any number of
times from php://input or $HTTP_RAW_POST_DATA (to simplify, let's say we
even let go $HTTP_RAW_POST_DATA). For this to be possible, you would have
to have the data in memory because you're reading from php://input the
first time, you can't know if it will be read a second time, so you either
break BC or keep everything in memory just in case there's a second read
-- and then you're where you started.
This example would be solved if during the lazy load you change the
php://input stream to point at the memory location that you read it
into.
For instance, current scripts can, in POST requests, read any number of
times from php://input or $HTTP_RAW_POST_DATA (to simplify, let's say we
even let go $HTTP_RAW_POST_DATA). For this to be possible, you would
have to have the data in memory because you're reading from php://input
the
first time, you can't know if it will be read a second time, so you
either break BC or keep everything in memory just in case there's a
second read
-- and then you're where you started.This example would be solved if during the lazy load you change the
php://input stream to point at the memory location that you read it
into.
I'm sorry, this doesn't make any sense. "The memory location you read
into"? Who says you read the post data into something, much less a
memory location?
--
Gustavo Lopes
For instance, current scripts can, in POST requests, read any number of
times from php://input or $HTTP_RAW_POST_DATA (to simplify, let's say we
even let go $HTTP_RAW_POST_DATA). For this to be possible, you would
have to have the data in memory because you're reading from php://input
the
first time, you can't know if it will be read a second time, so you
either break BC or keep everything in memory just in case there's a
second read
-- and then you're where you started.This example would be solved if during the lazy load you change the
php://input stream to point at the memory location that you read it
into.I'm sorry, this doesn't make any sense. "The memory location you read
into"? Who says you read the post data into something, much less a
memory location?
Sorry, to be more clear:
A lazy load on access to $_POST or $HTTP_RAW_POST_DATA would have to
read the POST data from the SAPI. At that point, the SAPI can keep the
buffer it allocates to read that data as a memory stream, and change its
notion of php://input to refer to that stream.
On Wed, 08 Dec 2010 15:10:30 -0000, Clint Byrum clint@ubuntu.com
wrote:This example would be solved if during the lazy load you change the
php://input stream to point at the memory location that you read it
into.I'm sorry, this doesn't make any sense. "The memory location you read
into"? Who says you read the post data into something, much less a
memory location?Sorry, to be more clear:
A lazy load on access to $_POST or $HTTP_RAW_POST_DATA would have to
read the POST data from the SAPI. At that point, the SAPI can keep the
buffer it allocates to read that data as a memory stream, and change its
notion of php://input to refer to that stream.
What would be possible would be to consume all the data from a SAPI
(typically indirectly from a socket, e.g. an Apache brigade), store it
memory and make php://input read from there (i.e., the current behavior)
but in a lazy manner when $_POST and $HTTP_RAW_POST_DATA are read.
However, this wouldn't solve the problem this option tries to resolve,
i.e., avoid consuming the POST data into memory when all that's needed is
a a stream-like access to that data (it also solves the problem the raw
POST data is not available in multipart requests).
It wouldn't be solved because you would have to copy all the data into
memory to permit multiple reads from php://input (the example I gave) and
to allow reading from $_POST and php://input in the same request (for
example, if you access $_POST first, you have to consume the whole POST
data to build the array; at this point you will have needed to store this
data somewhere to make it available to a subsequent read from php://input).
--
Gustavo Lopes