Soenke Ruempler wrote:
Hi Rasmus,
On 03/23/2008 04:14 PM, Rasmus Lerdorf wrote:
It is, but it is magic_quotes done right. You apply a really strict
filter that makes your data safe for display and your backend by
default. The only place you can reliably do this this is at the point
the data enters your system. Once it is in, having to remember to
apply a filter before you use the data will never work. You might
remember to do it 99.99% of the time, but that doesn't help you and
you might as well not do it at all. A bit like a condom with just one
little hole.
Well, my point is: at the stage where user generated data enter your
program you don't know for which subsystem to prepare it. Maybe for one,
maybe for more of them (it's a common case that user input is first
written to SQL backend and then displayed again).
So if everything is html escaped with the filter extension and I wanna
put it into SQL I have to remember "ah all my input is escaped for html
so I have to DECODE it and then prepare it to go into SQL". Now the
question is: What's easier, more intuitive and less headaching?
No, that's the point. You never ever decode data. If you are using any
sort of decode function, chances are your application is insecure. The
filter extension keeps a copy of the raw data internally. The default
filter you apply will filter for all the backends you use.
htmlspecialchars with all single and double quotes converted as well,
takes care of most commonly used stuff. When you need the raw data, or
the data filtered in a different way, you ask the filter extension to
re-filter from the stored raw data, you don't decode.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
