Rui Hirokawa wrote: > Hi, > > I propose a new idea for HTTP input handler to improve security and > multibyte encoding support. > > Currently, user input by POST/GET/Cookie is treated by > internal function php_treat_variables(). > > Some security related work to prevent some security attack > is preformed in PHP script by htmlspecialchars() and regex(). > > And multibyte encoding detection and translation which is necessary > for multibyte enable Web application is implemented by > override php_treat_variables(). > > My idea is to introduce some general input filter/handler > for php_treat_variables(). > > It is a similar concept as output buffering handler. > > For example, if a user defined > > input_handler = http_input_check,mb_filter
Currently, output_handler directive accepts one handler AFIAK. If php parser is going to be changed. It would be nice to have the same syntax for output_handler also. > > in php.ini, user defined security check handler and > multibyte encoding translation are perfomed. > > Generally, http input check for secure transaction is really > hard work and some programers might make some critical mistake. > And PHP script with http input check is usually hard to read. Agreed. I have class for that, but if PHP support input handler, it helps a lot. > > If we can use http input handler, we can implemnt separately > http input check and Web application. > *1 -- Yasuo Ohgaki -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]