On 04/07/2012 01:07 PM, Ángel González wrote: > On 07/04/12 19:29, Rasmus Lerdorf wrote: >> On 04/07/2012 10:23 AM, Ángel González wrote: >> >>> And I like the idea of providing a function for auto escaping <?= echos. >> Turn on your default input filter and all data that comes from the user >> will automatically be escaped. >> >> -Rasmus > I'm not interested in filtering *input* but *output*. I'm of the opinion > that variables should hold their real values up to the last step before > being used in the context which needs escaping (hmtl,, sql...).
It is a purer and cleaner approach, for sure, but it means you have to remember to explicitly escape each one and it makes it hard to audit. If you filter by default then you can easily audit the places an app fetches the raw unfiltered version of a variable and on large teams your junior developers will fail on the safe side if they forget to filter/escape something. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
