Derick Rethans wrote:
Well, people turn on safe mode just because the name implies that things are safe too - which is wrong. I agree with Ilia, we should not mangle request data by default. It's fine to provide filter functions but the normal post/get/cookie data should be normally available through GET and POST - this is starting to look like another magic_quotes. A bad thing!
Well, this is already in 5.0 via the input filtering hook. This is simply a public implementation of that hook. As far as I am concerned the only correct place to put a macro filter is before the data even gets to PHP and various corporate-wide security policies mandate this, or will mandate something like this in the near future. I'd like to be ahead of the curve and not behind it.
I agree. You want to be able to apply the filters before the data even gets to your script. As for the ini options its really easy to solve the issue with most of them using .htaccess files.
One key thing that people need to remember is that security needs to be easy. All security solutions loose out when not doing security is that much easier. That includes even the good guys who sometimes need to make that quick hack etc.
So a solution needs to be easy to add to any application and should be enforceable via a proper setup and should require as little work as possible in day to day programming.
regards, Lukas
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
