Antony Dovgal wrote:
> Obviously, no, this won't be the only way to get the data.
That's good.
>>>> Honestly, I'm not so sure it's a good idea to implement it like PECL
>>>> extension does. Filtering individual variables is, in my opinion, a
>>>> wrong way to treat user input.
>>>
>>> You may filter data recursively, so filtering, for example, _POST or
>>> _GET would work fine.
>>
>> Recursion does not solve the problem I'm trying to highlight.
>>
> Didn't get the problem, sorry.
> Could you try to explain it once more?
This particular extension treats each input variable individually, which
is not desirable in majority of scripts I worked with. Such approach
adds unnecessary complexity to the script, and requires to handle each
invalid variable separately as well. But the real problem is that there
are many ways of filtering input, and I do not think any of them fits
all the situations.
>> "Part of the standard API, which is included with PHP and compiles by
>> default", if you will.
>
>
> So, basically you're objecting against enabling it by default?
> Why? I really do not see a reason to not include it by default, if it
> helps to write more secure code.
> (remember that "enabled by default" means you can disable it in a
moment).
Well, I think that everything in core distribution is a suggested
standard. But a language should not, in my opinion, suggest any
particular structure for the program, unless it's absolutely necessary.
It's not a major issue, but still...
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
