Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class

hi Pádraic, Given the current discussions about the APIs (see my other reply too) and its usage, and that this proposal is non invasive/self contained in an extension, I would strongly suggest to already go with it in PECL, do releases (stay alpha until you have a very good feeling about the API s

Re: [PHP-DEV] PR 186: external protocols and locale independent string conversion

Hi all, On Wed, Sep 19, 2012 at 8:35 PM, Lars Strojny wrote: > I'm currently working onhttps://github.com/php/php-src/pull/186, which fixes a \ > problem with PostgreSQL when passing a float to pg_query_params() with a locale \ > setting that uses "," as a decimal point. pg_query_params()

Re: [PHP-DEV] Authenticated Encryption in PHP

To be honest, I've thought about it today and think that it could be great! :) I'd love to help if it's possible in any way I can :) On Thu, Sep 20, 2012 at 5:48 PM, Chad Emrys wrote: > Hello, > > I was wondering how difficult it would be to add access to a standard > authenticated encryption mo

Re: [PHP-DEV] pdo_pgsql Boolean Issues

Thanks, Pierre - The PR can be found at https://github.com/php/php-src/pull/198 On Tue, Sep 18, 2012 at 3:56 AM, Pierre Joye wrote: > hi Will, > > On Mon, Sep 17, 2012 at 7:45 PM, Will Fitch wrote: > > > While I've spent the better part of a week trying to determine the best > > solution, I wa

[PHP-DEV] Authenticated Encryption in PHP

Hello, I was wondering how difficult it would be to add access to a standard authenticated encryption mode in openssl. I was looking and trying to figure out how to do this in PHP, seems you have to do it the old fashioned way that's way too prone to error, basically encrypt and mac yourself

Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape

Ferenc Kovacs wrote: > My whole point here is identifying WHAT needs 'escaping'. You can't simply > 'escape' the output stream, you still want html tags to get out? This problem is specific to YOU, because (as far as I understood your previous post) you decided to store big ch

Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape

On Thu, Sep 20, 2012 at 3:09 PM, Leigh wrote: > > My whole point here is identifying WHAT needs 'escaping'. You can't > simply > > 'escape' the output stream, you still want html tags to get out? > > This problem is specific to YOU, because (as far as I understood your > previous post) you decide

Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape

> My whole point here is identifying WHAT needs 'escaping'. You can't simply > 'escape' the output stream, you still want html tags to get out? This problem is specific to YOU, because (as far as I understood your previous post) you decided to store big chunks of HTML in your data store. It is not

Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape

Pádraic Brady wrote: What does this mean? Escaping is not a small area of the problem - it's one of the biggest areas of the problem - potentially bigger than input sanitisation since invalid values are irrelevant to proper escaping which operates blindly by design. A lack of escaping impacts eve

Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape

Hi Lester, > 'Content' going in and out needs to be correctly processed and that is the > base of this. The bulk of my own 'persistent data' is content such as > 'wiki', blog', 'forum posts', 'articles' and so on. Others will most likely > say that I should not be using 'html' as the storage mediu

Re: [PHP-DEV] RFC: alternative callback syntax

On 20/09/12 10:17, Pierre Joye wrote: hi, On Thu, Sep 20, 2012 at 10:09 AM, Ivan Enderlin @ Hoa wrote: On 19/09/12 19:41, Steve Clay wrote: On 9/19/12 9:26 AM, Ivan Enderlin @ Hoa wrote: callable is already a reserved word (T_CALLABLE). Oh, good. It's not listed here http://php.net/manual/

Re: [PHP-DEV] Fwd: voter outreach

On Thu, Sep 20, 2012 at 3:51 AM, Ferenc Kovacs wrote: > > 2012.09.20. 12:45, "Kris Craig" ezt írta: > > > > > > > > > On Thu, Sep 20, 2012 at 3:42 AM, Ferenc Kovacs wrote: > >> > >> > >> 2012.09.20. 12:20, "Kris Craig" ezt írta: > >> > >> > >> > > >> > Hey guys, > >> > > >> > I got this reques

Re: [PHP-DEV] Fwd: voter outreach

2012.09.20. 12:45, "Kris Craig" ezt írta: > > > > On Thu, Sep 20, 2012 at 3:42 AM, Ferenc Kovacs wrote: >> >> >> 2012.09.20. 12:20, "Kris Craig" ezt írta: >> >> >> > >> > Hey guys, >> > >> > I got this request from my IDL contact a few hours ago. What do y'all >> > think? Looks like a good ide

Re: [PHP-DEV] Fwd: voter outreach

On Thu, Sep 20, 2012 at 3:45 AM, Kris Craig wrote: > > > On Thu, Sep 20, 2012 at 3:42 AM, Ferenc Kovacs wrote: > >> >> 2012.09.20. 12:20, "Kris Craig" ezt írta: >> >> > >> > Hey guys, >> > >> > I got this request from my IDL contact a few hours ago. What do y'all >> > think? Looks like a good

Re: [PHP-DEV] Fwd: voter outreach

On Thu, Sep 20, 2012 at 3:42 AM, Ferenc Kovacs wrote: > > 2012.09.20. 12:20, "Kris Craig" ezt írta: > > > > > Hey guys, > > > > I got this request from my IDL contact a few hours ago. What do y'all > > think? Looks like a good idea to me at least. > > > > -- > > I liked it better when they con

Re: [PHP-DEV] Fwd: voter outreach

2012.09.20. 12:20, "Kris Craig" ezt írta: > > Hey guys, > > I got this request from my IDL contact a few hours ago. What do y'all > think? Looks like a good idea to me at least. > > -- I liked it better when they contacted us directly through the webmaster mailing list.

Re: [PHP-DEV] Decode, transcode, sanitize, filter, escape

> > > My point here is that much of what is being discussed on 'a core anti-XSS > escaping class' is missing the some of the basic problems and 'filtering' > is my own take on the correct way of managing this! and this is where you are wrong. see https://www.owasp.org/index.php/Abridged_XSS_Preve

[PHP-DEV] Fwd: voter outreach

Hey guys, I got this request from my IDL contact a few hours ago. What do y'all think? Looks like a good idea to me at least. --Kris -- Forwarded message -- From: Douglas Schatz Date: Wed, Sep 19, 2012 at 2:43 PM Subject: voter outreach To: Kris Craig Hi Kris, I'm not sur

Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class

Hi Michael, > After looking over the RFC finally, would it be that crazy to consider > this an extension of the standard string functions? > > str_escape($string, $encoding, $flags) or probably better > str_escape($string, $flags, $encoding) - since encoding could be > defaulted to UTF-8, but flag

[PHP-DEV] Decode, transcode, sanitize, filter, escape

I am beginning to see this as another 'date/time' type of problem. Adopt the standard that everything internally is UTC and many of the problems go away. I can remember discussions on unicode and PHP6. PHP5 was just being RC'ed with tools for handling unicode (mbstring) but there was no coheren

Re: [PHP-DEV] RFC: Implementing a core anti-XSS escaping class

Hi al >> In any case, I’m not here to carry on an endless flame war. I just want to >> make sure that we’re doing what’s necessary to mitigate the number one >> vulnerability in web applications. >> > > I don't think this discussion is a flame war. I think it's a very good and > constructive point

Re: [PHP-DEV] RFC: alternative callback syntax

Tentative +1 for the func_name::callable version. callable seems more generic, and possibly more intuitive when scan reading code that contains lots of 'function'. class A { static function init() { $inst = new self; var_export ($inst->bar::calla

Re: [PHP-DEV] RFC: alternative callback syntax

On 20 September 2012 16:24, Ivan Enderlin @ Hoa wrote: > >> On 9/19/12 2:01 PM, Andrew Faulds wrote: >>> $cb = {mysql_real_escape_string}; >>> $cb = &{mysql_real_escape_string}; > > These notations are just horrible. Agreed. They're very line noisey and non-obvious. > PHP has recently introduced

Re: [PHP-DEV] RFC: alternative callback syntax

On 19/09/12 20:21, Steve Clay wrote: On 9/19/12 2:01 PM, Andrew Faulds wrote: Some other ideas: $cb = (callable) $obj->bar; Ah, but (callable) that won't work for global functions, since (callable) is a cast, and (callable) is not usable as a cast (at least in 5.4.7): $a = (callable)'str';

Re: [PHP-DEV] RFC: alternative callback syntax

hi, On Thu, Sep 20, 2012 at 10:09 AM, Ivan Enderlin @ Hoa wrote: > On 19/09/12 19:41, Steve Clay wrote: >> >> On 9/19/12 9:26 AM, Ivan Enderlin @ Hoa wrote: >>> >>> callable is already a reserved word (T_CALLABLE). >> >> >> Oh, good. It's not listed here http://php.net/manual/en/tokens.php > > Ex

Re: [PHP-DEV] RFC: alternative callback syntax

On 19/09/12 19:41, Steve Clay wrote: On 9/19/12 9:26 AM, Ivan Enderlin @ Hoa wrote: callable is already a reserved word (T_CALLABLE). Oh, good. It's not listed here http://php.net/manual/en/tokens.php Exactly. Who is responsible to update the documentation? Julien? Best regards. -- Ivan End

Re: [PHP-DEV] PR 186: external protocols and locale independent string conversion

hi Lars, On Wed, Sep 19, 2012 at 8:35 PM, Lars Strojny wrote: > I'm currently working on https://github.com/php/php-src/pull/186, which fixes > a problem with PostgreSQL when passing a float to pg_query_params() with a > locale setting that uses "," as a decimal point. pg_query_params() uses

Re: [PHP-DEV] PR 186: external protocols and locale independent string conversion

Hi! > Quick follow-up, PDO::quote() and mysqli::real_escape_string() suffer from > the same issue. Why would you feed doubles to escape_sting functions? I don't think it's the right thing to do. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227

Re: [PHP-DEV] PR 186: external protocols and locale independent string conversion

Hi! > I'm currently working on https://github.com/php/php-src/pull/186, > which fixes a problem with PostgreSQL when passing a float to > pg_query_params() with a locale setting that uses "," as a decimal > point. pg_query_params() uses convert_to_string(), which uses %G as a > format string for f