Nick Loeve wrote:Isn't that something you can use mod_security for? I don't know of the availability of that module on a standard host, but on a dedicated server you could install it.Rasmus Lerdorf wrote:
I don't actually see it as a per-script thing. Obviously the ini would be per-dir Apache configurable, but I see this as being something set across the board on a dedicated server that defines the security policy of that server.
No, because we don't actually want to lose the raw data. We need to save the raw data internally in PHP and make it available via the filter function. So if a strict default ini filter is enabled you would have something like this:
GET /script.php?foo=<xss hack>123 Hello</xss hack>
echo $_GET['foo'];
Would output: 123 Hello
echo filter(GET,'foo',FILTER_RAW);
Would output: <xss hack>123 Hello</xss hack>
echo filter(GET,'foo',FILTER_NUMBER);
Would output: 123
This makes me think it would be nice to have a way to test and see if anything was caught by the filters.
I guess:
if (!(filter(GET,'foo',FILTER_RAW);))
//then something was caught?-ryan
-- http://theryanking.com/blog
smime.p7s
Description: S/MIME cryptographic signature
