At 02:52 16/01/2003, Rasmus Lerdorf wrote:
In trying to implement a security policy I need to pass all user-supplied
data (GET/POST/Cookie) through a filter function which implements this
security. This isn't all that hard to implement as an extension through
new 4.3 treat_data and post_handler hooks, however it gets messy when you
throw mbstring into the mix as that extension also uses those hooks.
The cleanest way I can think of doing this is to add a function pointer to
SAPI for the filtering function that will be run right before the
php_register_variable_safe() call. Currently we are always calling
php_url_decode() on the data before registering the variable, so I propose
that we make php_url_decode() the default that an extension can then
override.
Anybody see any reason not to make this simple change? Without that I
will need to somehow detect whether mbstring is present and then filter
the data after it has already been registered by mbstring's
treat_data/post_handler hooks. That's a big mess!
Sounds good to me.
Zeev
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
