But the general idea is to provide an optional filter that people can enable in their ini file. This will strip out any XSS, quotes, braces,
I assume this will include PHP functions to do the filtering as well? (Forgive me if we already have this now, I haven't looked at 5.0 enough yet :-))
$age = pfilter(POST, 'age', FILTER_DIGITS); $addr = pfilter(POST, 'addr', FILTER_ALNUM); $body = pfilter(REQUEST, 'body', FILTER_TAGS); $raw = pfilter(COOKIE,'cook', FILTER_RAW);
Sounds like a good idea (even though the name pfilter reminds me too much of packet filter :-)). A catch-all could be handy too, e.g.
pfilter(REQUEST, DEFAULT, FILTER_TAGS);
which filters anything not handled before. Surely you can come up with a better interface but I hope you get the idea. Being able to define a default filter but still override it for certain variables is what I mean. (Also important would be that FILTER_TAGS is more robust than strip_tags which has some loopholes IIRC)
I agree that making input validation (or filtering) easy is important to help people write safer code. I once wrote a validator in PHP which allowed me to specify allowable tags including attributes and regular expression for the attribute values but it required the input to be XML/XHTML which might be a bit too harsh for most people.
A bit off-topic: I'm sure variable tainting has been discussed before, can some give the final opinion, was it found unsuitable/too much work/too inefficient or was it just post-poned (maybe indefinitely)?
- Chris
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
