On 2011/03/03, at 1:43, Zladivliba Voskuy <[email protected]> wrote:
This is becomming a very very interesting discussion !
Here's my point : if you only autohrize "abcdefghijklmnopqrsquvwxyz"
+ '0123456789' + ".,;:()/[] '
I'm pretty sure there's no way to make an attack, xss or sql
injection.
- You can't make a sql injection because you need "\" to do this and
if you escape all user input (" and ') you're ok- You can't make a
xss because you need < and > to do it.
So, ok you loose a lot of possibilities (like you can't allow html),
but I can live with that.
Now doing so I'm just applying one very basic principle of
security : remove everything you don't absolutely need.
What I miss is *how* to build such a function that would filter all
these chars. And I'd love a little help on this side ;-)
Yes, it is an interesting discussion. I think I've run into something
similar at least on a couple of occasions where I get lots of feedback
from people who think I'm trying to write a scalable, public,
enterprise level, Facetube (TM) application, when I'm merely writing something
akin to a utility with the least amount of dependencies. In these
situations, it's difficult to take that advice. Maybe you can compare it to
KDE vs. Blackbox. You can bet the developers have a very different way
of going about things, because their goal is different.
Of course using ZF might seem like an "enterprisey" thing to do. Which could
be the reason for the "enterprisey" advice. ;)
Others may have suggested this, but have you looked at Zend_Filter?
http://framework.zend.com/manual/en/zend.filter.writing_filters.html
