Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
Hi Jason! On Wed, 08 Aug 2001, Jason Greene wrote: From: Zeev Suraski [EMAIL PROTECTED] My top of the list is: $_REQUEST $_EVIL (Andi and I think it's really pretty good, but we both figured we'll end up going with a different alternative :) What about $_TAINTED ? for non-english ppl REQUEST is a more familiar word that TAINTED. I only encountered it when studying JS security. -- teodor -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
What about $_TAINTED ? for non-english ppl REQUEST is a more familiar word that TAINTED. I only encountered it when studying JS security. +1, tainted? I needed a dictionary for that... -- teodor -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
- Original Message - From: Zeev Suraski [EMAIL PROTECTED] To: Jani Taskinen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 08, 2001 1:02 PM Subject: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...) At 21:01 08-08-01, Jani Taskinen wrote: [moving this to php-dev] First: Great! Woohoo! Thanks Zeev! Andi helped with it too :) I vote for $_EVIL :) Well that would inspire programmers to be moe security consious with that data : ) Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
At 20:02 8/8/2001, Zeev Suraski wrote the following: -- At 21:01 08-08-01, Jani Taskinen wrote: [moving this to php-dev] First: Great! Woohoo! Thanks Zeev! Andi helped with it too :) I vote for $_EVIL :) How about $_DONT_TOUCH_THIS ? :) Seriously though, I vote for $_REQUEST. After all, it contains data which is (generally) tied to one particular request... [EMAIL PROTECTED] - And the eyes of them both were opened and they saw that their files were world readable and writable, so they chmoded 600 their files. - Book of Installation chapt 3 sec 7 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
How about $_COULDCONTAINSHELLCODE? -jason - Original Message - From: Jani Taskinen [EMAIL PROTECTED] To: Zeev Suraski [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 08, 2001 1:09 PM Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...) On Wed, 8 Aug 2001, Zeev Suraski wrote: At 21:01 08-08-01, Jani Taskinen wrote: [moving this to php-dev] First: Great! Woohoo! Thanks Zeev! Andi helped with it too :) Ah. Thanks Andi! :) I vote for $_EVIL :) I am not kidding. Naming it like that would definately be a clear sign for everyone that this stuff is not safe to use just as it is. --Jani -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
At 20:14 8/8/2001, Jani Taskinen wrote the following: -- On Wed, 8 Aug 2001, Cynic wrote: How about $_DONT_TOUCH_THIS ? :) Seriously though, I vote for $_REQUEST. After all, it contains data which is (generally) tied to one particular request... This reminds me that should the $_FILES be included in this data too? As it's also something you shouldn't trust and it's also coming from the user. --Jani Yeah. And $_SESSION too. [EMAIL PROTECTED] - And the eyes of them both were opened and they saw that their files were world readable and writable, so they chmoded 600 their files. - Book of Installation chapt 3 sec 7 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
What about using the acronyms in any combination. like $_GPC and $_GC and etc -Jason - Original Message - From: Cynic [EMAIL PROTECTED] To: Jani Taskinen [EMAIL PROTECTED] Cc: Zeev Suraski [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 08, 2001 1:25 PM Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...) At 20:14 8/8/2001, Jani Taskinen wrote the following: -- On Wed, 8 Aug 2001, Cynic wrote: How about $_DONT_TOUCH_THIS ? :) Seriously though, I vote for $_REQUEST. After all, it contains data which is (generally) tied to one particular request... This reminds me that should the $_FILES be included in this data too? As it's also something you shouldn't trust and it's also coming from the user. --Jani Yeah. And $_SESSION too. [EMAIL PROTECTED] - And the eyes of them both were opened and they saw that their files were world readable and writable, so they chmoded 600 their files. - Book of Installation chapt 3 sec 7 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
At 21:14 08-08-01, Jani Taskinen wrote: On Wed, 8 Aug 2001, Cynic wrote: At 20:02 8/8/2001, Zeev Suraski wrote the following: -- At 21:01 08-08-01, Jani Taskinen wrote: [moving this to php-dev] First: Great! Woohoo! Thanks Zeev! Andi helped with it too :) I vote for $_EVIL :) How about $_DONT_TOUCH_THIS ? :) Seriously though, I vote for $_REQUEST. After all, it contains data which is (generally) tied to one particular request... This reminds me that should the $_FILES be included in this data too? As it's also something you shouldn't trust and it's also coming from the user. Yep, $_FILES should probably be there too. Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
My top of the list is: $_REQUEST $_EVIL (Andi and I think it's really pretty good, but we both figured we'll end up going with a different alternative :) Zeev At 21:12 08-08-01, Jason Greene wrote: What about using the acronyms in any combination. like $_GPC and $_GC and etc -Jason - Original Message - From: Cynic [EMAIL PROTECTED] To: Jani Taskinen [EMAIL PROTECTED] Cc: Zeev Suraski [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 08, 2001 1:25 PM Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...) At 20:14 8/8/2001, Jani Taskinen wrote the following: -- On Wed, 8 Aug 2001, Cynic wrote: How about $_DONT_TOUCH_THIS ? :) Seriously though, I vote for $_REQUEST. After all, it contains data which is (generally) tied to one particular request... This reminds me that should the $_FILES be included in this data too? As it's also something you shouldn't trust and it's also coming from the user. --Jani Yeah. And $_SESSION too. [EMAIL PROTECTED] - And the eyes of them both were opened and they saw that their files were world readable and writable, so they chmoded 600 their files. - Book of Installation chapt 3 sec 7 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
- Original Message - From: Zeev Suraski [EMAIL PROTECTED] To: Jason Greene [EMAIL PROTECTED] Cc: Jani Taskinen [EMAIL PROTECTED]; Cynic [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 08, 2001 1:20 PM Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...) My top of the list is: $_REQUEST $_EVIL (Andi and I think it's really pretty good, but we both figured we'll end up going with a different alternative :) What about $_TAINTED ? -Jason Zeev At 21:12 08-08-01, Jason Greene wrote: What about using the acronyms in any combination. like $_GPC and $_GC and etc -Jason - Original Message - From: Cynic [EMAIL PROTECTED] To: Jani Taskinen [EMAIL PROTECTED] Cc: Zeev Suraski [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 08, 2001 1:25 PM Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...) At 20:14 8/8/2001, Jani Taskinen wrote the following: -- On Wed, 8 Aug 2001, Cynic wrote: How about $_DONT_TOUCH_THIS ? :) Seriously though, I vote for $_REQUEST. After all, it contains data which is (generally) tied to one particular request... This reminds me that should the $_FILES be included in this data too? As it's also something you shouldn't trust and it's also coming from the user. --Jani Yeah. And $_SESSION too. [EMAIL PROTECTED] - And the eyes of them both were opened and they saw that their files were world readable and writable, so they chmoded 600 their files. - Book of Installation chapt 3 sec 7 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
At 20:33 8/8/2001, Jani Taskinen wrote the following: -- On Wed, 8 Aug 2001, Cynic wrote: Yeah. And $_SESSION too. Nope. It doesn't come from the user. Err, you're right. [EMAIL PROTECTED] - And the eyes of them both were opened and they saw that their files were world readable and writable, so they chmoded 600 their files. - Book of Installation chapt 3 sec 7 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
On 08/08/01, Jani Taskinen [EMAIL PROTECTED] wrote: On Wed, 8 Aug 2001, Cynic wrote: Yeah. And $_SESSION too. Nope. It doesn't come from the user. But it would be useful for $_SESSION to have the same global scope as these new vars. --Wez. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
On Wed, Aug 08, 2001 at 09:20:55PM +0300, Zeev Suraski wrote: My top of the list is: $_REQUEST $_REQ would be even nicer - and less to type without hiding the meaning. $_EVIL (Andi and I think it's really pretty good, but we both figured we'll end up going with a different alternative :) evil might cause some moral/religious problems for some ppls, i don't think anything in PHP should be called like that. tc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
On Wed, 08 Aug 2001, Thies C. Arntzen wrote: On Wed, Aug 08, 2001 at 09:20:55PM +0300, Zeev Suraski wrote: My top of the list is: $_REQUEST $_REQ would be even nicer - and less to type without hiding the meaning. The Perl meter is registering non-zero reading here. evil might cause some moral/religious problems for some ppls, i don't think anything in PHP should be called like that. you mean like easter_date()? -Andrei 'Any given program, when running correctly, is obsolete.' - First Law of Computer Programming -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)
At 22:13 08-08-01, Thies C. Arntzen wrote: On Wed, Aug 08, 2001 at 09:20:55PM +0300, Zeev Suraski wrote: My top of the list is: $_REQUEST $_REQ would be even nicer - and less to type without hiding the meaning. I agree with Andrei on this one... $_EVIL (Andi and I think it's really pretty good, but we both figured we'll end up going with a different alternative :) evil might cause some moral/religious problems for some ppls, i don't think anything in PHP should be called like that. Hmm, interesting point :) Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]