Hi,
I propose a new idea for HTTP input handler to improve security and
multibyte encoding support.
Currently, user input by POST/GET/Cookie is treated by
internal function php_treat_variables().
Some security related work to prevent some security attack
is preformed in PHP script by htmlspecialchars() and regex().
And multibyte encoding detection and translation which is necessary
for multibyte enable Web application is implemented by
override php_treat_variables().
My idea is to introduce some general input filter/handler
for php_treat_variables().
It is a similar concept as output buffering handler.
For example, if a user defined
input_handler = http_input_check,mb_filter
in php.ini, user defined security check handler and
multibyte encoding translation are perfomed.
Generally, http input check for secure transaction is really
hard work and some programers might make some critical mistake.
And PHP script with http input check is usually hard to read.
If we can use http input handler, we can implemnt separately
http input check and Web application.
--
-----------------------------------------------------
Rui Hirokawa <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
