Rui Hirokawa wrote:

>  Hi,
>  
>  I propose a new idea for HTTP input handler to improve security and
>  multibyte encoding support.
>  
>  Currently, user input by POST/GET/Cookie is treated by
>  internal function php_treat_variables().
>  
>  Some security related work to prevent some security attack 
>  is preformed in PHP script by htmlspecialchars() and regex().
>  
>  And multibyte encoding detection and translation which is necessary
>  for multibyte enable Web application is implemented by 
>  override php_treat_variables().
>  
>  My idea is to introduce some general input filter/handler
>  for php_treat_variables().
>  
>  It is a similar concept as output buffering handler.
>  
>  For example, if a user defined 
>  
>  input_handler = http_input_check,mb_filter


Currently, output_handler directive accepts one handler AFIAK. If php
parser is going to be changed. It would be nice to have the same
syntax for output_handler also.


>  
>  in php.ini, user defined security check handler and
>  multibyte encoding translation are perfomed.
>  
>  Generally, http input check for secure transaction is really
>  hard work and some programers might make some critical mistake.
>  And PHP script with http input check is usually hard to read.


Agreed. I have class for that, but if PHP support input handler, it
helps a lot.

>  
>  If we can use http input handler, we can implemnt separately
>  http input check and Web application.
>  


*1

-- 
Yasuo Ohgaki


-- 
PHP Development Mailing List <http://www.php.net/> 
To unsubscribe, e-mail: php-dev-unsubscribe@[...].net
For additional commands, e-mail: php-dev-help@[...].net
To contact the list administrators, e-mail: php-list-admin@lists.php.net