Dennis Gearon wrote:
Why unset the globals?
I plan on implementing filters on all User input to ALL scripts in the prepend file. And if someone wants to get a variable that was supplied
by a user, they have to specifiy if it's going to be INT, STR(with options to remove run on spaces, validate email addr, remove carriage returns to prevent embedded email directives) 'NUM' type with formatting like in databases, and also, anti SQL injection escaping is possible. The programmer will HAVE to choose which filtering, but strip tags is automatic. I'm not going to have XSS holes or SQL injection on my site.
Why is strip_tags automatic? So you can filter out such evil code as <grin> and <crap>, which strip_tags removes? Thinking about using allowed_tags with strip_tags? Allow me only the use of the <b> tag and I'll put XSS vulnerabilities all over your site.
How is this going to stop XSS? I tell you I need a string safe to input into a database and you send me an escaped string that I insert into a database and then display to the user. That can prevent a XSS hole unless your users run htmlentities/htmlspecialchars() on the string.
I undestand your idea and what you're trying to do, but educating your users is going to have a greater effect than trying to create this catch-all-be-all script to protect yourself... that's not going to work.
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
