On Sat, 2006-09-09 at 11:30 -0400, Mark Charette wrote: > Stut wrote: > > Mark Charette wrote: > >> However, looking at it from a 'knowing early the data is tainted' > >> perspective, not from a 'validating and cleaning perspective', if you > >> have coded that (for instance) a variable is set via COOKIE, then > >> only looking for that variable set via COOKIE will eliminate its > >> being tainted by being set via GET or REQUEST. It doesn't eliminate > >> any need for validation or cleaning, but reduces (naive) attempts to > >> set via incorrect means. That is not possible via REQUEST. > >> Personally, I like to toss out possibilities of bad data via simple > >> means as early in the chain as possible. > > > > If I understood that right it's a shocking naive statement for any > > developer to make. While I agree with what you're saying, you're > > implying a bad attitude to handling data from untrusted sources. > I am being neither shocking or naive. Why is early discarding of data > because it comes in the wrong area shocking? That's your last line, I think he's commenting on the rest of your comment. Questionable data is questionable data, it doesn't matter from whence you clean it. If you haven't cleaned it your still going to get screwed no matter how much you rely on it being difficult to manipulate by a site visitor. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
