But if I am going to run your application on my server, I want a way to make sure no XSS, for example, can get through no matter how badly you may have written the application. That is, the control of my server's security policy has to be up to me, not you. So while there will be filtering functions for you to use, there will also be an ini setting for administrators to force a default filter.
I am sorry. May be I quite don't understand, but how can I broke server by using file_put_contents('dangerous string') or by mysql_query('select * from ' . mysql_escape_string('dangerous string'))?
And yet another thing. When variables will filtered? Incoming? How should I parse they? When output? But what should I do with my old echo htmspecialchars('dangerous string') constructions? They will be broken.
Unfortunately, hosting providers still should moderate self servers other way. And if you tell about badly written application, is possible to tell about badly configured server.
And, last not least, if you give administrators way to block users freedom, once they can forget about the feature and good written applications will broke server.
I think, administrators of shared servers should configure self servers safety and don't move self problems to programmer. If user (programmer) has wrote bad code, it code should broke just user's home directory or database and no more. It is administrator privilegies. And more. I think, if programmer has broked self server it is [her]his [customer's] problem. Why limit other? Disabling of modifing filters by users will produce just problems and once all experienced programmers start using $_RAWGET instead of $_GET :-)
Also, users are need in different filters. And they should have possibility change filters in self scripts. Even if they are administrators. For example, web site open for all and admin web-interface. In some of my projects placed in shared server's I can modify php.ini, but I can't create one php.ini for website and other for admin web-interface.
It is sad, but I think, there are one way to protect servers from bad programmers. Yes, by turning on filters (which user can change in any place of application). And by writting functions as file_put_contents() or adding features as placeholders: easy to use and which can solve 99% of application's problems.
I think, ini variable (of course, if user can modify it in any place) is good for it. May be good write special function[s] for the variable modifing:
<?php
post_filter_off();
//do something
post_filter('custom');
//do other
?>
Sveta.
-- S uvazheniem, Sveta Smirnova Best regards, sorry for English, Sveta Smirnova mailto:[EMAIL PROTECTED]
-- S uvazheniem, Sveta Smirnova Best regards, sorry for English, Sveta Smirnova mailto:[EMAIL PROTECTED]
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
