Hi,
Zladivliba Voskuy wrote
> Ok, I know this function is not secure, but could we make it into a secure
> one that maybe could be added to ZF so people who need secure text
> (meaning Alnum + punctuation, could use it.
>
> [...]
>
> class SecureText implements Zend_Filter_Interface{ public function
> filter($value) { return preg_replace('/[^a-zA-Z0-9
;.,?+-
> _!\(\)\[\]]/e', "", $value); }}
> Does this makes sense ?Z.
1) Could you tell us some use cases, where you think this could be useful?
2) What's about UTF-8?
3) I don't like your approach: If you get input you don't want, why do you
manipulate it the way, that you can accept it? I would recommend to block
and to tell your user, that you have blocked it because of...
Personally, I don't really like Zend_Filters at all. Well, they can be
useful, to transfer something in things for later usage, but when they start
to manipulate the origin input... especially when it comes to security: If
you already detect that something is not what you want, don't think you have
understood what it is and transform it. When it comes to security, you
should block everything which looks suspicious to you. If not, chances are
good, that someone is able to do things, you didn't expected ;-)
Remember, in the race "preparing against attacks" you always on the second
place. You don't know which new kinds of attacks comes next...
--
Regards,
Thomas
