On Fri, November 11, 2005 5:18 pm, Chris Shiflett wrote: > Richard Lynch wrote: >> Suppose PHP had a superglobal $_CLEAN which was an empty array. > > This seems like a decent idea, for two reasons: > > 1. Developers don't have to remember to initialize their array, which > offers some protection. PHP can do this for them. > > 2. Variable scope issues are not a concern. Currently, using this > technique within functions and classes is clumsy at best. > > However, most security issues like XSS and SQL injection aren't really > input filtering problems. Often, input filtering can effectively > eliminate these vulnerabilities (and there's no excuse to not be > filtering input), but escaping addresses the root cause of the > problem. It's certainly not a magic bullet. But I think it would help a lot of newbies get set on the right path from the get-go, of thinking about security from "Hello World" instead of trying to graft Security onto their 30,000 line forum after it gets nailed by bad guys. The residual effects are, hopefully, bigger than the direct benefit. If a good way to escape OUTPUT was also incorporated, that would be even better. But just getting folks THINKING about this kind of stuff from Day One of their PHP scripting would make a big difference. Perhaps one should use: $_ICLEAN $_OCLEAN for Input and Output. $kosher = '/[^A-Za-z0-9\\',\\.-]/'; $_ICLEAN['first_name'] = preg_replace($kosher, '', $_GET['first_name']; /* more code */ $_OCLEAN['first_name'] = htmlentities($_ICLEAN['first_name']); echo "<p>$_OCLEAN[first_name] is way smarter than me.</p>\n"; If you had anything other than $_OCLEAN in an echo and friends, then you would know you were screwing up. I really think it's important for the PHP community to push towards safer practices at the most basic levels. Examples in the manual, textbooks, etc. If everybody knew $_ICLEAN and $_OCLEAN meant data cleaned from input or data cleaned for output, then one could simply use them in examples instead of $_GET or $data. I'm not sure we can (or even should) go as far as Perl's tainted mode, but I think setting the right example and having an infrastructure to "do it right" would be a Good Thing. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
