Hi Rasmus, On 03/23/2008 04:14 PM, Rasmus Lerdorf wrote:
It is, but it is magic_quotes done right. You apply a really strict filter that makes your data safe for display and your backend by default. The only place you can reliably do this this is at the point the data enters your system. Once it is in, having to remember to apply a filter before you use the data will never work. You might remember to do it 99.99% of the time, but that doesn't help you and you might as well not do it at all. A bit like a condom with just one little hole.
Well, my point is: at the stage where user generated data enter your program you don't know for which subsystem to prepare it. Maybe for one, maybe for more of them (it's a common case that user input is first written to SQL backend and then displayed again).
So if everything is html escaped with the filter extension and I wanna put it into SQL I have to remember "ah all my input is escaped for html so I have to DECODE it and then prepare it to go into SQL". Now the question is: What's easier, more intuitive and less headaching?
I guess the real challange is not to try to do as much as possible magic by PHP but
a) to give users a simple way for escaping their data for the particular subsystem b) to point them to the right solution within the manual. (addslashes is bad for sql, parameter binding / prepared statement is nice - echo is bad for html output, htmlspecialchars or a newly intoduced short-tag is nice).
-soenke -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
