David Krings wrote:
Exactly! All input is evil, even when it comes from your database and your script. There is no good reason not to check input each and every time, there are only bad excuses for not doing it.
Well, by that token you should maintain a digital signature of every script that runs, and PHP should check those signatures before running the program. Than of course every program should be checking the digital signature of php itself on the server to make sure no one tampered with that. Oh, and you might as well be checking digitial signatures of any other php file you plan on including before you allow it to be included.
Of course, eventually all this checking is going to drag your performance down to an unacceptable level. But that's a bad excuse for not doing it.
:-) -Gary _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
