Eric Butera schreef:

...

then from client space you would just say
InputFilter::filterInput();

then, subsequently you can use $_POST and $_GET directly with the
assumption
that the input has been escaped.

BAD! assuming $_GET/$_POST are sanitized and escaped is always wrong. stick
cleaned/validated request data in a new/designated container.

additionally you escape data according to the context in which the escaped data 
will
be used - if you perform mysql related escaping on some central bunch of data 
then
things will go pear-shaped if at anytime that same data is subsequently used 
for other
kind of output (e.g. to screen) (note that putting data into a DB is consider 
output
from the point of view of your script)


Look up extract().  This is a horrible idea you're trying to do though.

I'll second that. :-)



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to