Hi Rasmus, On 03/23/2008 03:32 PM, Rasmus Lerdorf wrote:
This is what the filter extension is for. You should be working with escaped data by default and only poke a hole in your data firewall in the few places where you need to work with the raw data. Doing it the other way around is going to lead to all sorts of security issues.
Mhm. Isn't the the right paradigm to prepare variables at the time they are passed into subsystems (sql, shell, html etc.)? So what do you mean with "escaped data" here? html/xml escaped, sql escaped (which sql system and which encoding?). Sounds a bit like magic_quotes reloaded *hides*
IMHO a short syntax for echoing data html-escaped would be very helpful and a great extension to the language. If people (esp. newbies) are pointed to this one instead of echo/print for echo'ing html parts it could lead to a big win for php application security.
-soenke -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
