On Wed, 2 Feb 2005, Christian Schneider wrote: > Rasmus Lerdorf wrote: > > I don't actually see it as a per-script thing. Obviously the ini would > > be per-dir Apache configurable, but I see this as being something set > > across the board on a dedicated server that defines the security policy > > of that server. Shared servers are most likely not going to be able to > > Uh, that's a big goal but also asking for trouble. As you pointed out > there is a different rule on what's safe for a specific input variable > based on what it's used for (e.g. SQL, output, shell arg) and what's > not. Wouldn't one have to set up default filters for every possible use > to be safe then, i.e. a combination of all filters? > > Another major point would be to handle UTF8 properly, something which is > not easily handled by regular expressions, right?
preg supports UTF-8 just fine, but UTF-8 is not the only encoding in use (think about most of China ;-) so you have a point. Simply, in those cases people can simply choose not to filter at all, or we can provide this ourselves later when we have real unicode support. Derick -- Derick Rethans http://derickrethans.nl | http://ez.no | http://xdebug.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
