I think as far as the filter functions are concerned this is a good way to go (although I'd change the function name but that's no biggy, filter_input?). I very much see how filter_input(POST, "email", FILTER_EMAIL) is easier as opposed to finding the right regex for emails and it's great re-use.
As far as the INI is concerned, that's probably much more complicated because it would probably have to be on a per-script basis. Did you want to finalize that also for 5.1? What's your thinking on what it would look like? Or where you just thinking of a more general filter that will globally get rid of certain things like XSS, quotes, etc.?
Andi
At 02:41 PM 2/1/2005 -0800, Rasmus Lerdorf wrote:
Andi Gutmans wrote:As time is very short, I suggest to discuss exactly what we want and then to see if it's possible in a 5.1 time frame.
Can you give a short overview of what you had in mind and how the end-user would be using the functionality?
Well, I am not starting from scratch here. I have code, it just needs a bit of polishing.
But the general idea is to provide an optional filter that people can enable in their ini file. This will strip out any XSS, quotes, braces, etc. The actual list will need to be massaged a bit, and there will be multiple filters so people can choose how strict to be by default.
At the same time a filter access function is provided.
eg.
$age = pfilter(POST, 'age', FILTER_DIGITS); $addr = pfilter(POST, 'addr', FILTER_ALNUM); $body = pfilter(REQUEST, 'body', FILTER_TAGS); $raw = pfilter(COOKIE,'cook', FILTER_RAW);
We obviously can't turn on the input filter by default, but even without the default filter enabled, providing a set of input filters for people to use so they don't have to come up with complicated regular expressions to check user input will go a long way to make it easier for people to write safer applications. Even people who actually take the step to do input validation tend to get the validation wrong as we have seen in a number of recent examples.
-Rasmus
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
