http://pixelated-dreams.com/uploads/mis ... tSheet.pdf
I think I'm going to add this to useful resources thread too...
EDIT: Arrrgh! Maugrim The Reaper beat me to it!
Moderator: General Moderators
Code: Select all
$MySQLContext = new MySQLContext();
$MySQLContext->AddVariable('username', $_POST['username']); // every time the MySQLContext is queried about the username it will return a mysql_real_escape_string('username')....
$MySQLContext->AddVariable('place', 'the place i live...', true); // an optional parameter to tell the context that the data should be used 'as is'.. Notice that this not the default behaviour
$MySQLContext->AddQuery('simple query', 'SELECT * FROM users');
$MySQLContext->AddQuery('the query', 'SELECT * FROM users WHERE username=?', array('username'));
mysql_query($MySQLContext, 'the query');Code: Select all
$HTMLContext = new HTMLContext();
$HTMLContext->AddVariable('title', $_SERVER['PHP_SELF']);
echo($HTMLContext, 'title'); // internaly $HTMLContext->GetVariable('title') is called and htmlspecialchars is applied...<offtopic>matthijs wrote:Tim, did you also read the article by Marco Tabini called "Doing it japanese style" about applying the poka-yoke concept to input filtering and output escaping in PHP architect issue 2 vol 5 (2006)? It seems like a similar concept as you described. A very interesting article.
Ha!EDIT: Arrrgh! Maugrim The Reaper beat me to it!
Sounds like the taint mode some have discussed on PHP internals... We could only wish... I honestly don't see PHP changing too far in that direction, it's hard enough convincing people to migrate to PHP5, without breaking even more stuff in PHP6 - which might be one nail too many in a PHP sized coffin. Auto-escaping at least is easily implementing in a template engine - with some hacking obviously, but there are only so many methods of assigning data to a template - so it's not a hard one to implement. At the function level, it's still up the developer knowing their stuff.So maybe if PHP offered a function say print_safe() for output that was auto escaped and whatnot and for input they would throw an E_NOTICE or E_WARNING error if they tried to use a superglobal without first running some standard function on it? Like for the superglobal stuff:
Value of the requested variable on success, FALSE if the filter fails, or NULL if the variable_name variable is not set.
Code: Select all
$isgoodapi = filter_input(INPUT_GET, 'isgoodapi', FILTER_VALIDATE_BOOLEAN);
if (!is_null($isgoodapi)) {
if ($isgoodapi === FALSE) {
echo "the filter fails";
} else {
echo "value of the requested variable on success";
}
} else {
echo "the variable_name is not set.";
}ahem... viewforum.php?f=34MrPotatoes wrote:there is so little in terms of decent security literature