I know that my opinion probably means diddly but my %2 is free. ;) If I am understanding all of this right, if the raw varible contains some shell code like "\x90\x90\x90\xab\xa3\x54\x77" and I do something like $var = filter(GET,'foo',FILTER_NUMBER); $var would contain something like " 90 90 90 3 54 77". That still isn't valid, I filtered it for a number because that's what I am expecting. Valid values would be something like "12345" or "123.456".
There are some cases where a filter would be nice. Like for a textarea where a user might insert some HTML, <script> tags, etc. You could strip out the tags, and accept the rest. But if I am expecting a field to contain a number I am going to be looking for an int or a float. If I am expecting a phone number I would look for something that has a max length, a min length, must contain numbers, and only limited set of alpha characters (-,+,.,<SP>). I want to know TRUE or FALSE does this varible contain what I am expect it to. If FALSE I don't care what *is* there, as far as I'm concerned it isn't valid. I probably can't trust it even if it is "filtered". I am going to return some kind of error, and request that they reenter the data. Jess -----Original Message----- From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 01, 2005 5:55 PM To: Nick Loeve Cc: internals@lists.php.net Subject: Re: [PHP-DEV] PHP 5.1 Nick Loeve wrote: > >> Rasmus Lerdorf wrote: >> >>> I don't actually see it as a per-script thing. Obviously the ini >>> would be per-dir Apache configurable, but I see this as being >>> something set across the board on a dedicated server that defines >>> the security policy of that server. >> >> > Isn't that something you can use mod_security for? I don't know of the > availability of that module on a standard host, but on a dedicated > server you could install it. No, because we don't actually want to lose the raw data. We need to save the raw data internally in PHP and make it available via the filter function. So if a strict default ini filter is enabled you would have something like this: GET /script.php?foo=<xss hack>123 Hello</xss hack> echo $_GET['foo']; Would output: 123 Hello echo filter(GET,'foo',FILTER_RAW); Would output: <xss hack>123 Hello</xss hack> echo filter(GET,'foo',FILTER_NUMBER); Would output: 123 The extra spaces are intentional. Stripped characters are replaced with a single space. So if you had: abc<font size=10>def You would end up with: abc def -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
