Soenke Ruempler wrote:
Hi Rasmus,
On 03/23/2008 03:32 PM, Rasmus Lerdorf wrote:
This is what the filter extension is for. You should be working with
escaped data by default and only poke a hole in your data firewall in
the few places where you need to work with the raw data. Doing it the
other way around is going to lead to all sorts of security issues.
Mhm. Isn't the the right paradigm to prepare variables at the time they
are passed into subsystems (sql, shell, html etc.)? So what do you mean
with "escaped data" here? html/xml escaped, sql escaped (which sql
system and which encoding?). Sounds a bit like magic_quotes reloaded
*hides*
It is, but it is magic_quotes done right. You apply a really strict
filter that makes your data safe for display and your backend by
default. The only place you can reliably do this this is at the point
the data enters your system. Once it is in, having to remember to apply
a filter before you use the data will never work. You might remember to
do it 99.99% of the time, but that doesn't help you and you might as
well not do it at all. A bit like a condom with just one little hole.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php