Nick Loeve wrote:
Gareth Ardron wrote:
Rasmus Lerdorf wrote:
TCP/IP Firewalls break all sorts of applications as well until either the application is modified to poke a hole in the firewall itself via upnp, or you reconfigure the firewall. This makes firewalls annoying, but they are necessary. This is exactly the same thing. It is a data firewall for PHP. You don't have to use it, but people want it and need it.
After a little discussion on #php.pecl I would like to clarify my position. I think it makes absolute sense to have an input filter that implements a global security for PHP. However as this feature only makes sense with considerable knowhow in defining a sensible global (global in the sense that it may span multiple applications) security policy I see no reason why this needs to be in core versus it being in PECL. Especially since alot of people are worried about smart ass admins (especially mass hosters) who dont listen to developers enabling the thing just because it sounds like a good idea.
This means that the functionality will be available to people who know (tm). At the same time this is not a complete solution as a global security policy is not going to be as finely grained as needed. So a set of easy to use tools to use inside your application is also necessary. Actually it should be clear to all that just as a firewall input filtering does not replace data validation, even if in some cases data validation with inplut filters in front my seem redundant.
We seriously need a taint model that will ensure that people get some sort of reminder if they let unchecked data pass through.
regards,
Lukas
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
