Rasmus Lerdorf wrote:
Nick Loeve wrote:
Isn't that something you can use mod_security for? I don't know of the availability of that module on a standard host, but on a dedicated server you could install it.Rasmus Lerdorf wrote:
I don't actually see it as a per-script thing. Obviously the ini would be per-dir Apache configurable, but I see this as being something set across the board on a dedicated server that defines the security policy of that server.
No, because we don't actually want to lose the raw data. We need to save the raw data internally in PHP and make it available via the filter function. So if a strict default ini filter is enabled you would have something like this:
GET /script.php?foo=<xss hack>123 Hello</xss hack>
echo $_GET['foo'];
Would output: 123 Hello
echo filter(GET,'foo',FILTER_RAW);
Would output: <xss hack>123 Hello</xss hack>
echo filter(GET,'foo',FILTER_NUMBER);
Would output: 123
The extra spaces are intentional. Stripped characters are replaced with a single space. So if you had: abc<font size=10>def
You would end up with: abc def
-Rasmus
That sounds really cool. I have never used mod_security very much, so i didn't realise it killed the data.
Would it be able to take user-defined functions as a filter type alternative?
Cheers Nick Loeve
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
