Eric Butera schreef: ...
then from client space you would just say InputFilter::filterInput(); then, subsequently you can use $_POST and $_GET directly with the assumption that the input has been escaped.
BAD! assuming $_GET/$_POST are sanitized and escaped is always wrong. stick cleaned/validated request data in a new/designated container. additionally you escape data according to the context in which the escaped data will be used - if you perform mysql related escaping on some central bunch of data then things will go pear-shaped if at anytime that same data is subsequently used for other kind of output (e.g. to screen) (note that putting data into a DB is consider output from the point of view of your script)
Look up extract(). This is a horrible idea you're trying to do though.
I'll second that. :-)
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
