On Dec 1, 2015 4:50 PM, "Dmitry Stogov" <dmi...@zend.com> wrote: >
> I think only big arrays coming from external sources should be checked. I tend to agree here. We discussed it with Remote last week. I was trying to explain why having a crafted hash function for inputs may be better and safer. That includes get/post/env/serialize/json and the likes. The performance impact for these is most likely minimal for only them while ensuring a better protection from a long term point of view. I may be wrong and did not think much more than brainstorming about it. So take it with a bit of salt :)
