[nycphp-talk] "The Web is broken and it's all your fault."
Jon Baer
jonbaer at jonbaer.com
Sat Sep 16 01:31:26 EDT 2006
On Sep 15, 2006, at 10:41 PM, Rick Olson wrote:
> Jon Baer wrote:
>> I partly blame the language ... I know of alot of people who complain
>> about Java's strict typing/sandboxing + find it cumbersome and have
>> to explain its there for a good reason.
>>
>> First, get rid of this stuff ... $_GET['badstuff'] and all incoming
>> defined variables period. As long as it exists in the language
>> people will complain about security ... Im suprised there is no fork
>> of PHP to form a SecurePHP variant that takes this out or has strong
>> wrappers for it (see 3).
>>
>
> huh? Are you suggesting we remove user input from the language?
>>> Im suggesting maybe a little DRY applied to PHP when it comes to
security. People seem to be complaining about the same security
problems over and over again and neither the language itself is
becoming smarter to handle the junk sent in nor the output going out.
> earlier... http://pecl.php.net/package/filter
> That will eventually become a part of the base system I imagine, once
> it's stable. They were threatening to change the function names
> though
> a couple of days ago, but I don't think that'll happen before the 5.2
> release.
>>> Is that package/extension the same as this?
http://cvs.php.net/viewcvs.cgi/php-src/README.input_filter?
revision=1.7.4.1
That was my original point ... to get rid of $_GET/POST[] and replace
it with this package once + for all ...
- Jon
More information about the talk
mailing list