My opinion may not carry any weight here, as I'm just a user of PHP, but this discussion has given me a few ideas. As Ron and Val (and others) have pointed out, there's no way for PHP to know how an *input* value is going to be used. Would it perhaps be better to filter *output* values?
I think the main problem is that Ron and Rasmus are talking about different stuff:
a) Ron is a developer who knows how handle data in a secure way and doesn't want any magic to interfere. All he needs is easy support to do the necessary escaping depending on the use. I'm not sure if PHP doesn't already have the proper tools to do this.
b) Rasmus is concerned about servers with lots of badly written code on it where he wants to provide a method to prevent security problems for these leaky programs by not letting any dangerous data come through thus compromising the server.
Concerning a):
- Something which might help me as a developer to track (initial) leaks down could be variable tainting. A simple scheme (direct output and basic string concatenation/construction) might help or might be bad. Dunno, would need more thoughts but OTOH I'm pretty sure this has been discussed in length here on the list :-)
Concerning b):
- A default filter might help, it definitely _will_ cause problems and lots of programs will need fixing so it's a very double-edged sword. Making it easy to disable it would result in little more security as people running into (even minor, i.e. easily fixable) problems would do just that: Disable it. You guys have more experience with magic_gpc to judge if it's leading to more problems than it solves.
I'm very ambivalent about the whole thing but I think it's important that you stop rejecting the other side's points because you're looking at different problems.
Over and out, - Chris
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
