Re: [PHP-DEV] Proporsal for cascadable general HTTP input handler

[Zeev Suraski]

What would be the input/output of these input handlers?

Zeev

At 07:19 09/12/2001, Rui Hirokawa wrote:

Hi,

I propose a new idea for HTTP input handler to improve security and
multibyte encoding support.

Currently, user input by POST/GET/Cookie is treated by
internal function php_treat_variables().

Some security related work to prevent some security attack
is preformed in PHP script by htmlspecialchars() and regex().

And multibyte encoding detection and translation which is necessary
for multibyte enable Web application is implemented by
override php_treat_variables().

My idea is to introduce some general input filter/handler
for php_treat_variables().

It is a similar concept as output buffering handler.

For example, if a user defined

input_handler = http_input_check,mb_filter

in php.ini, user defined security check handler and
multibyte encoding translation are perfomed.

Generally, http input check for secure transaction is really
hard work and some programers might make some critical mistake.
And PHP script with http input check is usually hard to read.

If we can use http input handler, we can implemnt separately
http input check and Web application.

--
-
Rui Hirokawa [EMAIL PROTECTED]
  [EMAIL PROTECTED]


--
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Proporsal for cascadable general HTTP input handler

[Rui Hirokawa]

The input could be an array pointer for the splited and url decoded input by 
POST/GET/Cookie.

The output could be an array including result or return code of 
the handler.

These handlers should be activated in php_treat_data before
php_register_variable_safe().

An example is php_mbstr_encoding_handler() in ext/mbstring.c.
The argument of php_mbstr_encoding_handler() is,

static void
php_mbstr_encoding_handler(zval *arg, char *res, char *separator TSRMLS_DC)

But, the array pointer should be better to simplify the handler.


On Sun, 09 Dec 2001 20:21:02 +0200
Zeev Suraski [EMAIL PROTECTED] wrote:

 What would be the input/output of these input handlers?
 
 Zeev
 
 At 07:19 09/12/2001, Rui Hirokawa wrote:
 
 Hi,
 
 I propose a new idea for HTTP input handler to improve security and
 multibyte encoding support.
 
 Currently, user input by POST/GET/Cookie is treated by
 internal function php_treat_variables().
 
 Some security related work to prevent some security attack
 is preformed in PHP script by htmlspecialchars() and regex().
 
 And multibyte encoding detection and translation which is necessary
 for multibyte enable Web application is implemented by
 override php_treat_variables().
 
 My idea is to introduce some general input filter/handler
 for php_treat_variables().
 
 It is a similar concept as output buffering handler.
 
 For example, if a user defined
 
 input_handler = http_input_check,mb_filter
 
 in php.ini, user defined security check handler and
 multibyte encoding translation are perfomed.
 
 Generally, http input check for secure transaction is really
 hard work and some programers might make some critical mistake.
 And PHP script with http input check is usually hard to read.
 
 If we can use http input handler, we can implemnt separately
 http input check and Web application.
 
 --
 -
 Rui Hirokawa [EMAIL PROTECTED]
   [EMAIL PROTECTED]
 
 
 --
 PHP Development Mailing List http://www.php.net/
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]
 
 
 -- 
 PHP Development Mailing List http://www.php.net/
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
-
Rui Hirokawa [EMAIL PROTECTED]
 [EMAIL PROTECTED]


-- 
PHP Development Mailing List http://www.php.net/
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]