|
|
Posted by "Richard Lynch" on 11/11/05 00:53
On Thu, November 10, 2005 4:21 pm, Ben Ramsey wrote:
> On 11/10/05 4:48 PM, Richard Lynch wrote:
> The only issue I see with building in a superglobal to the language
> (or
> this extension) is that it doesn't force the user to instantiate the
> empty array at the top of the script. This could make for a lazy
> developer, and, if s/he's not careful, anyone running the application
> on
> a machine in which register_globals is turned on would run the risk of
> having a potentially tainted $_CLEAN array, which defeats the purpose
> of
> the clean array altogether. The point is that the developer should be
> able to trust the data in $clean.
I specifically stated the $_CLEAN "was an empty array"
By that I meant that $_CLEAN is initialized (by PHP core code) to be
an empty array, as part of the initialization routine that sets up
$_SERVER and sometimes $_POST/$_GET/$_COOKIE.
$_CLEAN would start as an empty array in all PHP setups (Module, CGI,
CLI, whatever) regardless of any other condition, pre-condition,
php.ini setting, or phase of the moon. :-)
--- unit test ------------
<?php var_dump($_CLEAN);?>
--------------------------
--- expected output ------
array(0) {
}
--------------------------
I wouldn't be too keen on it being only done as part of some PECL
extension that may or may not get loaded, particularly as the order of
loading of PECL extensions then would have an effect, I should
think...
PS
The problem with any generic/modular Input Filtering is that one is
never too sure about some of the sanitizing it performs.
There are simply too many application-specific sanitization "gotchas"
that make this something that is almost always best re-written from
scratch each time, imho...
Not that you don't re-use and cut-and-paste, but maybe in this one
email can be blank, but not in that one, or whatever. Too many
variables, and I've never seen (and can't really imagine) a good clean
modular way to handle this without being so damn complex it's
unwieldy.
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|