On Friday 04 February 2005 10:00, Rasmus Lerdorf wrote: > It comes down the fact that every single piece of data you get from GET, > POST, Cookie and some Server variables *must* be at the very least be > passed through htmlentities or striptags before you can display any part > of them.
Exactly, those are very simple rules.. People need to learn that every var they send to the browser needs to be htmlescaped. Every var that makes it into the database query string needs to be escaped according to that database standard. If we can make this easier I'd say go for it. But "polluting" PHP's input seem to me like the wrong way to go about it. Even worse it can be activated by an ini option that would make writing portable PHP code more difficult thus repeating magic_* failure. Edin -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
