My opinion may not carry any weight here, as I'm just a user of PHP, but this discussion has given me a few ideas.
Neither does mine.. but...
As Ron and Val (and others) have pointed out, there's no way for PHP to know how an *input* value is going to be used. Would it perhaps be better to filter *output* values?
This would break pretty much every application ever written. Consider: <?php echo "<html><body><a href="http://www.yahoo.com/";>Yahoo!</a></body></html>"; ?>
The same scheme of proposed filters could instead be applied just-in-time as values hit an output function. ....
This way, when I echo a $_GET variable, it could automatically be run through htmlentities() ....
See the discussion on variable-variable superglobals.
You could definitely catch:
echo "Hello {$_GET['name']}\n";and MAYBE:
$name = $_GET['name'];
echo "Hello {$name}";but (without a LOT of reference catching, and other nasty hackery that may or may not work in the end) not:
$one = 'na'; $two = 'me';
$name = $_GET[$one.$two];
echo "Hello $name";
...
But I'm with Derick on this.. it's another magic_quotes_* waiting to happen, if it can EVER be turned on by default. (MHO).
S
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
