Hello, On 10/23/06, Ilia Alshanetsky <[EMAIL PROTECTED]> wrote:
On 23-Oct-06, at 4:48 AM, Stefan Esser wrote: > Hi, > > I just wanted to remind you that PHP 5.2.0 will be released with > broken > and inconsistent input filtering. > > Right now _SERVER is only passed through the input filter for apache 1 > SAPI. All other SAPIs do not pass _SERVER variables through the > filter. > This will be a major headache for people using ext/filter etc... In some SAPIs such as CLI it makes little sense to filter $_SERVER in majority of cases. As a whole I do not believe $_SERVER in its entirety needs to be filtered, given that at least 1/2 the data there is not based on user-input. My suggestion is that people use filter_var() function to filter components of the $_SERVER super- global that they are using. That said, in future release there are plans to extend support to Apache 2 and cgi/fcgi sapis as well as add handling for $_REQUEST.
Yes, and more generally as soon as we fix the leaks and the other troubles we spoted recently. I still like to disable ENV/SERVER support in 5.2.0 (just like _REQUEST), we can restore it later. --Pierre -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
