Stefan Esser:
[ Charset ISO-8859-15 unsupported, converting... ]
> Hi Steph,
>
> >
> > In a preliminary release for feedback purposes you talk about wrong
> > assumptions? Surely this is the whole point of having a preliminary
> > release for feedback :)
> yes of course it is preliminary. But the whole idea is flawed. It is
> assumed that a single function exists that makes user input secure for
> HTML or for SQL. But infact there is not.
In my own code, the htmlentities() conversion function makes data
safe ONLY for HTML but NOT for SHELL, MYSQL*, etc.
Likewise, the mysqli_real_escape_string() conversion function makes
data safe ONLY for MYSQLI but NOT for MYSQL, SHELL, HTML, etc.
Ditto for the shell conversion function.
I suppose you get the idea.
By the way, I do aim for performance that is acceptable in production
environments, because that is where security matters most.
Right now, the hit is in the 2% range. I hope this will be acceptable.
Wietse
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
