Le mardi 27 juin 2006 à 12:07 -0400, Chris Morgan a écrit :
Wow, thats a pretty neat idea.
A few comments.
We should do something to the values in $_REQUEST so they can't be used after this function is called.
We can do that but only after we have made the required changes everywhere (i.e. remove makeClean AND remove every occurence or $_REQUEST[], $_POST and so on).
We should error if there are variables that don't fit the format we expect. We can't have anything getting past this filter by default or we'll be opening holes in the filtering without any kind of notification. We'll also want to know if we've missed anything during our changes.
I made a show_error_page call when variables don't fit the format isn't it sufficient.
Html keyword should probably be 'sh' instead of 'sH' so the lower case characters prefixed on a variable are what represents the variables type. This would be more consistent with what we have.
Ok, could you please apply my patch and replace sH with sh in CODING_STANDARDS and in the new function in the diff ? My patch shouldn't cause any harm yet.
Filtering all variables might let us support allowing magic quotes although given the widespread rejection of the magic quotes feature it seems silly to do so. I wouldn't be surprised if the switch was removed from php entirely in the near future.
That might be true, but for the moment being magic_quotes_gpc=on is still the default even in php5.
Thanks.