On Feb 6, 2005, at 2:14 PM, Christian Schneider wrote:
Benj Carson wrote:My opinion may not carry any weight here, as I'm just a user of PHP, but this discussion has given me a few ideas. As Ron and Val (and others) have pointed out, there's no way for PHP to know how an *input* value is going to be used. Would it perhaps be better to filter *output* values?
I think the main problem is that Ron and Rasmus are talking about different stuff:
a) Ron is a developer who knows how handle data in a secure way and doesn't want any magic to interfere. All he needs is easy support to do the necessary escaping depending on the use. I'm not sure if PHP doesn't already have the proper tools to do this.
I don't know Ron, but you should almost certainly change that to 'Ron is a developer who thinks he knows how to handle data....' The key point being that few people intentionally write exploitable code (and no amount of automatic fixup will save you from those crowd). Even people that are aware of security issues in input validation routinely make mistakes.
George
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
