You guys can write your own implementation and put it in PECL alongside the one I am putting in there and we can decide if any of them should be bundled by default. Perhaps none of them should, but like it or not, people want to filter at this level and the extension to satisfy this need will be available to them in PECL.
Yes, there should be an extension that implements the filter functions - but the normal data should still be available like it is in PHP 4.3 and PHP 5.0. Adding an ext for those filters is a good thing, mangling request data isn't (see the magic_quotes_gpc mess).
Derick
I agree very much with you on this. If PHP coders who are no admins on the server themselves have to start worrying about a default filter, that means they will have to filter all input because the default filter could be or might become something they don't want to see. And in that case, there's no use for a default for them anymore, they simply have to manually filter everything, just so they can get to their raw data. This whole default setting adds an uncertainty which will add a lot of lines of code.
Please don't make the magic_quotes_gpc mistake again, because in my humble opinion, that was the worst thing that ever happened to PHP.
It comes down the fact that every single piece of data you get from GET, POST, Cookie and some Server variables *must* be at the very least be passed through htmlentities or striptags before you can display any part of them. If you in any place do an echo $_GET['foo'] or even echo $_SERVER['PATH_INFO'], REQUEST_URI, USER_AGENT, REFERER, etc. your application is broken. And even if you do call these if you haven't explicitly set your output encoding your application is likely still vulnerable. How many web applications (not just PHP) do you think suffer from this? Just about every one from my perusal of not just sourceforge stuff but even things written by core PHP developers, including myself. I don't think we can continue to stick our head in the sand and just push this onto users. And everyone here understands that &{ needs to be stripped or entitied as well, right? How many non-internals folks do you think know that?
-Rasmus
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
