Gary Mort wrote:
David Krings wrote:
Exactly! All input is evil, even when it comes from your database and
your script. There is no good reason not to check input each and every
time, there are only bad excuses for not doing it.
Well, by that token you should maintain a digital signature of every
script that runs, and PHP should check those signatures before running
the program. Than of course every program should be checking the
digital signature of php itself on the server to make sure no one
tampered with that. Oh, and you might as well be checking digitial
signatures of any other php file you plan on including before you allow
it to be included.
Of course, eventually all this checking is going to drag your
performance down to an unacceptable level. But that's a bad excuse for
not doing it.
:-)
-Gary
But since when are scripts considered input?
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
