Well there you go. A default filter. So I don't know what you mean with "For the 18th time, nobody is talking about enabling it by default.", because an administrator might. And I as a developer have no clue. Personally, I don't see why a webserver admin should need to secure his server through means of a default filter. There are good ways to secure a machine. This is not one of them You don't secure a server by setting a default that a user can override. So really, that is no argument.
Like I said before. If a webserver admin dicatates the default way $_GET and $_POST data is perceived, a website developer has no choice but to use this filtering mechanism on every input variable he receives, because he just can't rely on PHP's default behaviour anymore. You see, not everybody agrees that you can't do without input filtering (myself for example), so in the end, there's no doubt in my mind that forcing a new magic default on PHP-users will make a lot of people unhappy. Ron "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > From a developer's perspective I can see your point. But if I am going > to run your application on my server, I want a way to make sure no XSS, > for example, can get through no matter how badly you may have written > the application. That is, the control of my server's security policy > has to be up to me, not you. So while there will be filtering functions > for you to use, there will also be an ini setting for administrators to > force a default filter. > > -Rasmus > > Michael Virnstein wrote: > > I'm not a developer of php, but developing in php, i can say that it'd > > be nice to be able to filter *any* data, *if I want to*, not just $_GET, > > $_POST etc.. I think it is a good idea to have a easy to use filter api, > > but please don't make it an ini setting, so i have to call a function to > > get the original data if it is enabled or have to call ini_set first to > > disable it. I know you'd like to help securing applications even for not > > experienced programmers, but that's not the way to go imo. > > I honestly don't want someone to dictate which data is ok for my > > application and which is not. Simply give me a nice api, with default > > filter types and probably the possibility to register custom functions > > to filter data, so i can call the functions if i want to. Or let me > > register filter types for certain variables, something like: > > <?php > > > > register_filter('var1', FILTER_NUMBER); > > register_filter('var2', FILTER_EMAIL); > > register_filter('var3', 'my_customer_filter'); > > > > ?> > > > > Michael > > > > Rasmus Lerdorf wrote: > > > >> For the 18th time, nobody is talking about enabling it by default. > >> > >> -Rasmus > > > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
