Hi all,
I would like to write RFC that sets appropriate/better defaults by default.
For example, htmlspecialchars has following definition now.
string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT |
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] )
http://php.net/htmlspecialchars
Besides HTML5 allows non-quoted attributes, $flag default is better to be
"ENT_QUOTES | ENT_HTML401" as HTML5 accepts both " and ' as quote chars.
Another example is http_build_query(). It should escape ' ' as '%20' by
default, not '+'.
Followings are quick list that I think of.
===php.ini===
-
session.use_strict_mode=On : Enable strict session ID validation by
default -
session.serializer=php_serialize : Use plain PHP's serialize than 'php'
which is made for register_globals=On. -
session.hash_function=1 : Use SHA1 rather than MD5
-
session.http_only=On : Session ID should not be able to be accessed from
JS for security reasons. -
opcache.enable=1
===functions===
-
session_set_cookie_params()
BEFORE
void session_set_cookie_params ( int $lifetime [, string $path [, string
$domain [, bool $secure = false [, bool $httponly = false ]]]] )
AFTER
void session_set_cookie_params ( int $lifetime [, string $path [, string
$domain [, bool $secure = false [, bool $httponly =TRUE]]]] )
Note: session_destory()/session_regenerate_id() should set destory flag to
TRUE, but I'll address this issue on different RFC.
-
htmlspecialchars()
BEFORE
string htmlspecialchars ( string $string [, int $flags =ENT_COMPAT|
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] )
AFTER
string htmlspecialchars ( string $string [, int $flags =ENT_QUOTES|
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] ) -
htmlentities()
BEFORE
string htmlentities ( string $string [, int $flags =ENT_COMPAT|
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] )
AFTER
string htmlentities ( string $string [, int $flags =ENT_QUOTES|
ENT_HTML401 [, string $encoding = ini_get("default_charset") [, bool
$double_encode = true ]]] ) -
htmlspecialchars_decode()
BEFORE
string htmlspecialchars_decode ( string $string [, int $flags =ENT_COMPAT
| ENT_HTML401 ] )
AFTER
string htmlspecialchars_decode ( string $string [, int $flags =ENT_QUOTES
| ENT_HTML401 ] ) -
html_entities_decode()
BEFORE
string html_entity_decode ( string $string [, int $flags =ENT_COMPAT|
ENT_HTML401 [, string $encoding = ini_get("default_charset") ]] )
AFTER
string html_entity_decode ( string $string [, int $flags =ENT_QUOTES|
ENT_HTML401 [, string $encoding = ini_get("default_charset") ]] ) -
http_build_query()
BEFORE
string http_build_query ( mixed $query_data [, string $numeric_prefix [,
string $arg_separator [, int $enc_type = PHP_QUERY_RFC1738 ]]] )
AFTER
string http_build_query ( mixed $query_data [, string $numeric_prefix [,
string $arg_separator [, int $enc_type = PHP_QUERY_RFC3986 ]]] ) -
json_encode()
BEFORE
string json_encode ( mixed $value [, int $options = 0 [, int $depth = 512
]] )
AFTER
string json_encode ( mixed $value [, int $options =JSON_HEX_TAG|
JSON_HEX_AMP|JSON_HEX_APOS|JSON_HEX_QUOT[, int $depth = 512 ]] )
Note: These options provide safety when JSON is embedded into
HTML/JavaScript context. -
uniq_id()
BEFORE
string uniqid ([ string $prefix = "" [, bool $more_entropy = false ]] )
AFTER
string uniqid ([ string $prefix = "" [, bool $more_entropy =TRUE]] )
There may be others. Please add them if there are any
obsolete/unreasonable/insecure defaults.
Any comments?
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
- session.hash_function=1 : Use SHA1 rather than MD5
I realized that we should remove hashing for better performance.
Since session ID is generated from crypt secure RNG (/dev/urandom by
default),
simply converting the data into text is enough. Hashing is slow.
Any comments?
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
- session.hash_function=1 : Use SHA1 rather than MD5
I realized that we should remove hashing for better performance.
Since session ID is generated from crypt secure RNG (/dev/urandom by
default),
simply converting the data into text is enough. Hashing is slow.Any comments?
on the contrary, both sha1 and md5 is super fast, so I don't think that is
a good argument.
and if you remove the hashing there will be no known length for the session
id, and sooner or later people will screw themselves when bumping into some
limit or getting their session id truncated (be that a cookie max length or
a db field).
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Hi Ferenc,
Hi all,
On Tue, Jan 27, 2015 at 11:06 AM, Yasuo Ohgaki yohgaki@ohgaki.net
wrote:
- session.hash_function=1 : Use SHA1 rather than MD5
I realized that we should remove hashing for better performance.
Since session ID is generated from crypt secure RNG (/dev/urandom by
default),
simply converting the data into text is enough. Hashing is slow.Any comments?
on the contrary, both sha1 and md5 is super fast, so I don't think that is
a good argument.
and if you remove the hashing there will be no known length for the
session id, and sooner or later people will screw themselves when bumping
into some limit or getting their session id truncated (be that a cookie max
length or a db field).
MD5 and SHA1 is reasonably fast. However, when I implemented
session.lazy_write
I found hashing is spoiling performance with simple script benchmark.
A lot of session IDs may be generated with browsers that do not
support/enable cookie.
Many sites can ignore the overhead, but busy sites get benefits from raw
session ID.
It may be small, but it uses less CPU cycle for sure. We may set long
enough fixed
length ID with raw session ID.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Another example is
http_build_query(). It should escape ' ' as '%20' by
default, not '+'.
The quick response is probably 'why', but I probably know the answer,
becuase some standard has changed. The problem with this one is that
using a '+' sign when encoding page names is so much easier to read than
$20, and many of the systems I'm still supporting have had as a standard
since PHP4 days. Editing stored data to cope with that change is not as
easy as changing code, so what is easy to say in an RFC can have a lot
more deeper implications!
--
Lester Caine - G8HFL
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
Hi Lester,
Another example is
http_build_query(). It should escape ' ' as '%20' by
default, not '+'.The quick response is probably 'why', but I probably know the answer,
becuase some standard has changed. The problem with this one is that
using a '+' sign when encoding page names is so much easier to read than
$20, and many of the systems I'm still supporting have had as a standard
since PHP4 days. Editing stored data to cope with that change is not as
easy as changing code, so what is easy to say in an RFC can have a lot
more deeper implications!
I should have mentioned that urldecode() supports both '+' and '%20'.
Therefore, there is no compatibility issue as long as stored data is
decoded by urldecode().
I suppose RFC 1738 user is using urldecode() as rawurldecodoe() cannot
decode '+'. So you and your users wouldn't have BC issues.
Please let me know if I'm missing something.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
I suppose RFC 1738 user is using
urldecode()as rawurldecodoe() cannot
decode '+'. So you and your users wouldn't have BC issues.Please let me know if I'm missing something.
It's one of those check boxes on my crib sheet for converting legacy
sites to 5.4 ... I've had niggles on occasions when a '+' has got lost
in the code and tracking why can be a problem which is why I commented.
It's the changes in these areas which can cause hair pulling because
some other 'bodge' has been used in the past :(
--
Lester Caine - G8HFL
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk