Hi all, On Sat, 1 Oct 2022, Kamil Tekiela wrote:
> For quite some time now, PHP's sanitize filters have "Rustled My > Jimmies". These filters bother me because I can't really justify their > existence. I can understand that a few of them are sensible and may > come in handy, but I would like to talk about some of these in > particular. I want to provide some context to why we have ext/filter, and why the filters that we currently have exist. At the time when we introduced ext/filter (which I mostly wrote), we were beholden to the scourge of "magic quotes". In order for PHP to allow for a safer acceptance of input variables into a script, we added the ext/filter API to do so. The filters and sanitisers that we added were at that moment reasonable to add, and also likely to be used. We did punt on a view, and I am sure we made some 'interesting' decisions. For example the e-mail validator was not designed to allow for what the full spec allowed, but instead what we thought would be in-put by reasonable people. The sanitising filters were added to get a rough, but reasonable filter to make data safe for specific contexts. Some of them were added so that people could easily upgrade, but for example setting the default filter to "magic_quotes" (or "add_slashes"). They're probably less useful *now*, but that doesn't distract that they might still be in use. I do believe we need to be better in promoting ext/filter's *good use*, of which there are plenty of cases. And evulating on how to *improve* (and not *remove) filters and sanitisers would be useful too. Do you have specific suggestions towards that? cheers, Derick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
