Safe Strings in PHP (2)

I wrote about the problems with PHP strings here and the possible solution I liked using a class encapsulating strings in PHP. I now worked out some details to make every string function in PHP work with the new “SafeString”-class. You can find the details and source here. This is still more a proof-of-concept and for all practical purposes would require the re-writing of a couple of things like database abstraction layers and such to return SafeStrings as well.

One Response to “Safe Strings in PHP (2)”

  1. I was struck by the complexity of your solution to the safety (“injection”) issue for strings in PHP that come from a user.

    I, too, have produced programmed solutions to other PHP problems.

    I now believe that the proper solution is to fix PHP and/or the other components of Web programming. Something that you always want done should be done in the language or computer system, not in explicit coding.

    Since the environment (the server programming tools) know which strings come from users and which do not, they can implement safety automatically.

    If the maintainers of PHP are reluctant to improve it in areas such as string safety, that is a political or psychological problem only, and could be solved by proper justification.

    After all, PHP has had some large changes in its history already, and people accepted them. A great example of this is the unsafe automatic importation of all GET and POST data into global variables, which is no longer done.

    As a former professional compiler writer and language designer, I am well aware of the tradeoff between keeping a language fixed (standard) and improving it. But there are well-known ways to manage this process, such as the standards development policies of Ada and Fortran. In PHP, a simple directive could enable or disable a new feature like automatic safe strings. To gain the advantages, webmasters or programmers would only have to add one line to each PHP page or to the site’s .htaccess file or the equivalent to enable the feature, and remove any existing safety code.

    I can’t see why the maintainers of PHP should object.

    David Spector
    Springtime Software

Leave a Reply

You must be logged in to post a comment.