On Mon, October 23, 2006 12:38 pm, Rasmus Lerdorf wrote: > I had left out SERVER filtering in the initial version for much the > same > reasoning, but it turns out that a good chunk of holes were due to the > fact that people used $_SERVER['REQUEST_URI'] unfiltered. Trying to > teach people which SERVER vars are safe and which aren't isn't a fun > task and the whole point of the filter extension is to take away the > guessing game.
Perhaps in 6.0 one could consider having: $_SERVER $_SERVER_DIRTY or some similar scheme so that people *know* there is something "wrong" with just blindly using that data... Or rename it, so it's not "SERVER" for user-supplied data... I mean, you've labeled it "SERVER" so I figure it comes from the SERVER, right? Not from the USER... I know, that's a stupid way to look at things, but there it is. PS Digging the Yahoo! Maps API :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
