|
Posted by Ben Ramsey on 11/11/05 00:21
On 11/10/05 4:48 PM, Richard Lynch wrote:
> Here's an idea... Quite possibly half-baked.
>
> Suppose PHP had a superglobal $_CLEAN which was an empty array.
>
> Further suppose it was documented in the manual as *the* place to put
> your scrubbed data.
>
> This rather small and hopefully inexpensive change (in terms of PHP
> Dev/Docs team work) would quite possibly improve scripts by newbies,
> simply by nudging them in the proper direction, because it would be a
> documented feature, and it would have all the nifty cross-links in the
> manual and all that.
>
> It would also help to keep code cleaner to have $_CLEAN be a
> superglobal rather than just something I made up and have to declare
> as "global" all the time.
>
> Comments? Suggestions? Derogatory remarks?
There is an Input Filter PECL extension that's still in beta, and I
think it's a good step, though I'm not so sure about some of the
sanitizing it performs. It doesn't offer the superglobal you're
suggesting, but it probably wouldn't be too difficult to put it in there.
The only issue I see with building in a superglobal to the language (or
this extension) is that it doesn't force the user to instantiate the
empty array at the top of the script. This could make for a lazy
developer, and, if s/he's not careful, anyone running the application on
a machine in which register_globals is turned on would run the risk of
having a potentially tainted $_CLEAN array, which defeats the purpose of
the clean array altogether. The point is that the developer should be
able to trust the data in $clean.
If PHP had a taint mode and didn't have register_globals, then we'd be
making some progress.
--
Ben Ramsey
http://benramsey.com/
Navigation:
[Reply to this message]
|