On Thu, Nov 10, 2005 at 05:21:51PM -0500, Ben Ramsey wrote: > On 11/10/05 4:48 PM, Richard Lynch wrote: > >Here's an idea... Quite possibly half-baked. > > > >Suppose PHP had a superglobal $_CLEAN which was an empty array. > > > >Further suppose it was documented in the manual as *the* place to put > >your scrubbed data. > > > >This rather small and hopefully inexpensive change (in terms of PHP > >Dev/Docs team work) would quite possibly improve scripts by newbies, > >simply by nudging them in the proper direction, because it would be a > >documented feature, and it would have all the nifty cross-links in the > >manual and all that. > > > >It would also help to keep code cleaner to have $_CLEAN be a > >superglobal rather than just something I made up and have to declare > >as "global" all the time. > > > >Comments? Suggestions? Derogatory remarks? > > There is an Input Filter PECL extension that's still in beta, and I > think it's a good step, though I'm not so sure about some of the > sanitizing it performs. It doesn't offer the superglobal you're > suggesting, but it probably wouldn't be too difficult to put it in there. There is a pecl extension that you can register, custom superglobals although it comes with some extra stuff as well: http://php.net/runkit > The only issue I see with building in a superglobal to the language (or > this extension) is that it doesn't force the user to instantiate the > empty array at the top of the script. This could make for a lazy > developer, and, if s/he's not careful, anyone running the application on > a machine in which register_globals is turned on would run the risk of > having a potentially tainted $_CLEAN array, which defeats the purpose of > the clean array altogether. The point is that the developer should be > able to trust the data in $clean. I think the idea would be that $_CLEAN is protected from anything but your own code assigning a value to it, and will always be an empty array. I'm not sure that will stop anyone from abusing it and just stick $_REQUEST['password'] into the array without really cleaning it. The other issue with having a system variable like this, is if i choose to not use it, perhaps i have a different method of sanitizing my input, the variable just becomes an empty useless item. > > If PHP had a taint mode and didn't have register_globals, then we'd be > making some progress. hmm.. an E_TAINTED error, that might be something good to have put in php6, since register_globals appears to be going away then. I could forsee some though code like this though: array_walk_recursive($_REQUEST, create_function('&$v,$k', '$v = $k')); Curt. -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
