Am 21.06.2011 19:12, schrieb Tomas Kuliavas: >>>> and this naive attitude is the root of most security problems! >>>> >>>> why do you believe that every client submission is coming over >>>> your form or generally over anything you can control? >>>> >>>> >>> that doesn't matter here, Tomas just corrected John, that his statement >>> that >>> chrome will always use utf-8 encoding for some special character isn't >>> true. >>> browsers will adhere the >>> http://www.w3.org/TR/html401/interact/forms.html#adef-accept-charset >>> of course you can't trust user input, and you have to validate it, but >>> this >>> has nothing to do with this topic >> >> it has >> >> how du you validate input if the string-functions having undefined results >> which you probably use for your validation? > > I've never said that he should trust user input. I've only said that his > valid user inputs depend on html form format.
and i told you that this in the real world is utopic there is a world outside of forms show me FIVE php-apps which are using "accept-charset" not one of mine - they do and even there i can not be sure that all of the thousands of scipts/websites i wrote use it realy everywhere > utf-8 is strict format. If you expect utf-8 and someone submits something > else, you can tell that without any string function. You can verify utf-8 > strings in pcre. You can convert nbspace to regular space, if you want. > utf-8 does not have any byte sequence that can collide with nbspace byte > sequence in utf-8 show me a practicable way to detect if some input data contains UTF8 mb_string-functions are out of the game because there are many servers even of real big companies where they are not available so the problem is simply that you can not really write portable and well performing code that is aware of UTF8
signature.asc
Description: OpenPGP digital signature
