Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Jeroen van Wolffelaar]

> > What about $_TAINTED ?
> > 
> for non-english ppl REQUEST is a more familiar word that TAINTED. I only
> encountered it when studying JS security.

+1, tainted? I needed a dictionary for that...

> 
> -- teodor


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[teo]

Hi Jason!
On Wed, 08 Aug 2001, Jason Greene wrote:

> From: "Zeev Suraski" <[EMAIL PROTECTED]>
> > My top of the list is:
> > 
> > $_REQUEST
> > $_EVIL (Andi and I think it's really pretty good, but we both figured we'll 
> > end up going with a different alternative :)
> 
> What about $_TAINTED ?
> 
for non-english ppl REQUEST is a more familiar word that TAINTED. I only
encountered it when studying JS security.

-- teodor

-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Zeev Suraski]

At 22:13 08-08-01, Thies C. Arntzen wrote:
>On Wed, Aug 08, 2001 at 09:20:55PM +0300, Zeev Suraski wrote:
> > My top of the list is:
> >
> > $_REQUEST
>
> $_REQ would be even nicer - and less to type without hiding
> the meaning.

I agree with Andrei on this one...

> > $_EVIL (Andi and I think it's really pretty good, but we both figured 
> we'll
> > end up going with a different alternative :)
>
> evil might cause some moral/religious problems for some ppls,
> i don't think anything in PHP should be called like that.

Hmm, interesting point :)

Zeev


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Andrei Zmievski]

On Wed, 08 Aug 2001, Thies C. Arntzen wrote:
> On Wed, Aug 08, 2001 at 09:20:55PM +0300, Zeev Suraski wrote:
> > My top of the list is:
> > 
> > $_REQUEST
> 
> $_REQ would be even nicer - and less to type without hiding
> the meaning.

The "Perl meter" is registering non-zero reading here.

> evil might cause some moral/religious problems for some ppls,
> i don't think anything in PHP should be called like that.

you mean like easter_date()?

-Andrei

'Any given program, when running correctly, is obsolete.'
  - First Law of Computer Programming

-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Thies C. Arntzen]

On Wed, Aug 08, 2001 at 09:20:55PM +0300, Zeev Suraski wrote:
> My top of the list is:
> 
> $_REQUEST

$_REQ would be even nicer - and less to type without hiding
the meaning.

> $_EVIL (Andi and I think it's really pretty good, but we both figured we'll 
> end up going with a different alternative :)

evil might cause some moral/religious problems for some ppls,
i don't think anything in PHP should be called like that.

tc

-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Wez Furlong]

On 08/08/01, "Jani Taskinen" <[EMAIL PROTECTED]> wrote:
> On Wed, 8 Aug 2001, Cynic wrote:
> >Yeah. And $_SESSION too.
> Nope. It doesn't come from the user.

But it would be useful for $_SESSION to have the same global scope as
these new vars.

--Wez.


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Cynic]

At 20:33 8/8/2001, Jani Taskinen wrote the following:
-- 
>On Wed, 8 Aug 2001, Cynic wrote:
>>Yeah. And $_SESSION too.
>
>Nope. It doesn't come from the user.

Err, you're right.




[EMAIL PROTECTED]
-
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
- Book of Installation chapt 3 sec 7 


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Jason Greene]

- Original Message - 
From: "Zeev Suraski" <[EMAIL PROTECTED]>
To: "Jason Greene" <[EMAIL PROTECTED]>
Cc: "Jani Taskinen" <[EMAIL PROTECTED]>; "Cynic" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, August 08, 2001 1:20 PM
Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / 
NEWS...)


> My top of the list is:
> 
> $_REQUEST
> $_EVIL (Andi and I think it's really pretty good, but we both figured we'll 
> end up going with a different alternative :)

What about $_TAINTED ?

-Jason

> 
> Zeev
> 
> At 21:12 08-08-01, Jason Greene wrote:
> >What about using the acronyms in any combination.
> >
> >like $_GPC
> >and $_GC
> >and etc
> >
> >-Jason
> >- Original Message -
> >From: "Cynic" <[EMAIL PROTECTED]>
> >To: "Jani Taskinen" <[EMAIL PROTECTED]>
> >Cc: "Zeev Suraski" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> >Sent: Wednesday, August 08, 2001 1:25 PM
> >Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: 
> >php4 / NEWS...)
> >
> >
> > > At 20:14 8/8/2001, Jani Taskinen wrote the following:
> > > --
> > > >On Wed, 8 Aug 2001, Cynic wrote:
> > > >
> > > >>How about $_DONT_TOUCH_THIS ? :)
> > > >>Seriously though, I vote for $_REQUEST. After all, it contains
> > > >>data which is (generally) tied to one particular request...
> > > >
> > > >This reminds me that should the $_FILES be included in this
> > > >data too? As it's also something you shouldn't trust and
> > > >it's also coming from the user.
> > > >
> > > >--Jani
> > >
> > > Yeah. And $_SESSION too.
> > >
> > >
> > >
> > > [EMAIL PROTECTED]
> > > -
> > > And the eyes of them both were opened and they saw that their files
> > > were world readable and writable, so they chmoded 600 their files.
> > > - Book of Installation chapt 3 sec 7
> > >
> > >
> > > --
> > > PHP Development Mailing List <http://www.php.net/>
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> > >
> 
> --
> Zeev Suraski <[EMAIL PROTECTED]>
> CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/
> 
> 
> -- 
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 
> 


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Zeev Suraski]

My top of the list is:

$_REQUEST
$_EVIL (Andi and I think it's really pretty good, but we both figured we'll 
end up going with a different alternative :)

Zeev

At 21:12 08-08-01, Jason Greene wrote:
>What about using the acronyms in any combination.
>
>like $_GPC
>and $_GC
>and etc
>
>-Jason
>- Original Message -
>From: "Cynic" <[EMAIL PROTECTED]>
>To: "Jani Taskinen" <[EMAIL PROTECTED]>
>Cc: "Zeev Suraski" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
>Sent: Wednesday, August 08, 2001 1:25 PM
>Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: 
>php4 / NEWS...)
>
>
> > At 20:14 8/8/2001, Jani Taskinen wrote the following:
> > --
> > >On Wed, 8 Aug 2001, Cynic wrote:
> > >
> > >>How about $_DONT_TOUCH_THIS ? :)
> > >>Seriously though, I vote for $_REQUEST. After all, it contains
> > >>data which is (generally) tied to one particular request...
> > >
> > >This reminds me that should the $_FILES be included in this
> > >data too? As it's also something you shouldn't trust and
> > >it's also coming from the user.
> > >
> > >--Jani
> >
> > Yeah. And $_SESSION too.
> >
> >
> >
> > [EMAIL PROTECTED]
> > -
> > And the eyes of them both were opened and they saw that their files
> > were world readable and writable, so they chmoded 600 their files.
> > - Book of Installation chapt 3 sec 7
> >
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >

--
Zeev Suraski <[EMAIL PROTECTED]>
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Zeev Suraski]

At 21:14 08-08-01, Jani Taskinen wrote:
>On Wed, 8 Aug 2001, Cynic wrote:
>
> >At 20:02 8/8/2001, Zeev Suraski wrote the following:
> >--
> >>At 21:01 08-08-01, Jani Taskinen wrote:
> >>
> >>>[moving this to php-dev]
> >>>
> >>>First: Great! Woohoo! Thanks Zeev!
> >>
> >>Andi helped with it too :)
> >>
> >>I vote for $_EVIL :)
> >
> >How about $_DONT_TOUCH_THIS ? :)
> >Seriously though, I vote for $_REQUEST. After all, it contains
> >data which is (generally) tied to one particular request...
>
>This reminds me that should the $_FILES be included in this
>data too? As it's also something you shouldn't trust and
>it's also coming from the user.

Yep, $_FILES should probably be there too.

Zeev


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Jason Greene]

What about using the acronyms in any combination.

like $_GPC
and $_GC
and etc

-Jason
- Original Message - 
From: "Cynic" <[EMAIL PROTECTED]>
To: "Jani Taskinen" <[EMAIL PROTECTED]>
Cc: "Zeev Suraski" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, August 08, 2001 1:25 PM
Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / 
NEWS...)


> At 20:14 8/8/2001, Jani Taskinen wrote the following:
> -- 
> >On Wed, 8 Aug 2001, Cynic wrote:
> >
> >>How about $_DONT_TOUCH_THIS ? :)
> >>Seriously though, I vote for $_REQUEST. After all, it contains
> >>data which is (generally) tied to one particular request...
> >
> >This reminds me that should the $_FILES be included in this
> >data too? As it's also something you shouldn't trust and
> >it's also coming from the user.
> >
> >--Jani
> 
> Yeah. And $_SESSION too.
> 
> 
> 
> [EMAIL PROTECTED]
> -
> And the eyes of them both were opened and they saw that their files
> were world readable and writable, so they chmoded 600 their files.
> - Book of Installation chapt 3 sec 7 
> 
> 
> -- 
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Cynic]

At 20:14 8/8/2001, Jani Taskinen wrote the following:
-- 
>On Wed, 8 Aug 2001, Cynic wrote:
>
>>How about $_DONT_TOUCH_THIS ? :)
>>Seriously though, I vote for $_REQUEST. After all, it contains
>>data which is (generally) tied to one particular request...
>
>This reminds me that should the $_FILES be included in this
>data too? As it's also something you shouldn't trust and
>it's also coming from the user.
>
>--Jani

Yeah. And $_SESSION too.



[EMAIL PROTECTED]
-
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
- Book of Installation chapt 3 sec 7 


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Jason Greene]

How about $_COULDCONTAINSHELLCODE?

-jason

- Original Message - 
From: "Jani Taskinen" <[EMAIL PROTECTED]>
To: "Zeev Suraski" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, August 08, 2001 1:09 PM
Subject: Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / 
NEWS...)


> On Wed, 8 Aug 2001, Zeev Suraski wrote:
> 
> >At 21:01 08-08-01, Jani Taskinen wrote:
> >
> >>[moving this to php-dev]
> >>
> >>First: Great! Woohoo! Thanks Zeev!
> >
> >Andi helped with it too :)
> 
> Ah. Thanks Andi! :)
> 
> >I vote for $_EVIL :)
> 
> I am not kidding. Naming it like that would definately
> be a clear sign for everyone that this stuff is not safe
> to use just as it is.
> 
> --Jani
> 
> 
> 
> -- 
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Cynic]

At 20:02 8/8/2001, Zeev Suraski wrote the following:
-- 
>At 21:01 08-08-01, Jani Taskinen wrote:
>
>>[moving this to php-dev]
>>
>>First: Great! Woohoo! Thanks Zeev!
>
>Andi helped with it too :)
>
>I vote for $_EVIL :)

How about $_DONT_TOUCH_THIS ? :)
Seriously though, I vote for $_REQUEST. After all, it contains
data which is (generally) tied to one particular request...




[EMAIL PROTECTED]
-
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
- Book of Installation chapt 3 sec 7 


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)

[Jason Greene]

- Original Message - 
From: "Zeev Suraski" <[EMAIL PROTECTED]>
To: "Jani Taskinen" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, August 08, 2001 1:02 PM
Subject: [PHP-DEV] Re: The new $_GET/POST/ENV (was: Re: [PHP-CVS] cvs: php4 / NEWS...)


> At 21:01 08-08-01, Jani Taskinen wrote:
> 
> >[moving this to php-dev]
> >
> >First: Great! Woohoo! Thanks Zeev!
> 
> Andi helped with it too :)
> 
>  I vote for $_EVIL :)

Well that would inspire programmers to be moe security consious with that data : )


> 
> Zeev
> 
> 
> -- 
> PHP Development Mailing List 
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 


-- 
PHP Development Mailing List 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]