On 22 Nov 2005, at 09:03, Simon wrote:
PHP does (try) to do something similar - with the magic_quotes_gpc
setting ( gpc = "Get, Post, Cookie" ), it automatically adds
slashes to
strings - for those who don't do PHP:
I think the web development world has pretty much universally agreed
that magic quotes is one of the worst language features ever. I would
certainly never advocate adding something so horrible to Django. The
input filtering proposal is about making it easier to be explicit
about the format of incoming data, and harder to create security
holes through laziness or carelessness.
It seems everyone agrees that having a simple way of saying "get the
'foo' parameter and make sure it's an integer/float/email address/
single-line-of-text" is a useful feature. What's less clear is if
default filtering should be applied to all input unless the developer
explicitly asks for the "raw" data. I'm beginning to lose interest in
this idea, basically because I can't think of any patterns that
really need to be filtered. Nasty javascript is a possibility but is
much best filtered at the output stage. Null bytes and so forth are a
bit hard to justify removing unless there's a really good reason to
do so. And we certainly don't want to start doing weird stuff to
quotes - that's what a sane DB abstraction layer is for.
Cheers,
Simon
