Personally, I like the way Code Igniter handles input variables:
$this->input->post('foo') or $this->input->get('foo') gets the raw variable
(unless you set the config option that all input should be filtered).
$this->input->post('foo', true) or $this->input->get('foo', true) gets the
filtered version. I'm in the habit of always adding the second argument just
as a mater of course to make sure my code is always secure, even if the
config option changes.
I've always disliked the fact that both GET and POST were combined into
handler_vars. Not only is this bad, as you said, for validation, but I'm
also wary of anything that limits functionality or adds confusion (does GET
or POST take priority if something's set both places?).
FWIW, I move that we break everything and split everything out into their
own arrays: get, post, rewrite, et al. We also need to beef up InputFilter
and maybe even filter everything by default.
I do agree with the general trend here, though. It should be more difficult
to get the unfiltered content than it is to get filtered content.
On Mon, Nov 3, 2008 at 5:52 PM, Owen Winkler <[EMAIL PROTECTED]> wrote:
>
> Matt Read wrote:
> >
> > If you think everything I said was crap, or have something to add,
> > please speak up :)
>
> I think these are all important considerations. I think we should make
> it easier for developers to do good things by default in regard to these
> ideas. For example...
>
> How would everyone feel about sanitizing handler_vars and g/p/c by
> default, and forcing code to use handler_vars_unsafe and
> $_(GET|POST|COOKIES)_UNSAFE[] if they want the raw values?
>
> This would make at least this single aspect easier to audit.
>
> Also, a similar approach could be taken in any instance where we push
> data around, like in Theme. Any value assigned as a string to the theme
> could be converted into a new String class instance, which would default
> to output filtered, but could be retrieved raw:
>
> // Converts the incoming native string into a String instance:
> $theme->foo = '<script';
>
> // In the template:
> echo $foo; // Outputs the filtered value: ''
> echo $foo->unsafe(); // Outputs the raw value: '<script'
> echo $foo->html(); // Outputs < as > : '>script'
> echo $foo->encode(); // Output URL encodes: '%3cscript'
>
> Owen
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/habari-dev
-~----------~----~----~----~------~----~------~--~---
