- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 24 Oct 2007 22:38:37 +0000 (UTC)
On Wed, 17 Oct 2007, Jonas Sicking wrote: > > > > Yeah. I think having quote() might do as much damage by encouraging > > people to write codepaths that need it as it might help by having > > people writing those codepaths anyway be saved (if, that is, they know > > to be saved). > > > > What would be cool is if we could detect, through tainting, the bad > > codepaths. But I see no way to do that here. > > If people write codepaths that need quote(), but use quote() > appropriately then I don't see any harm done, so I'm not sure what > specifically you are worried about here? I'm worried about people seeing quote(), going the path of using quote(), and then forgetting to use it. > I think not having quote will make people write their own, and every so > often fail at it. People that don't think about the possibility of > getting exploited aren't going to use neither '?' nor quote() so they > are hosed either way. If we include examples for how to do this (embedding ? directly into the query and adding the stuff to the array), will that work? It's easier to do than quoting. > What are we trying to prevent here. The page can only attack data it > owns, so the only thing I can think of is preventing bugs. Though that > is certainly not unimportant. True. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 24 October 2007 15:38:37 UTC