- Democrats and the Reality of the Political Mind
- Open Source and the Argument for Opening the Debates
- Social Networks VS Social Networking
- Jon Stewart at his best
- The Palin Surprise
- What Is Google Hiding With Chrome?
- IE6 DeathMarch
- Web Apps as Desktop Apps; Prism, Web-Runner & Fluid.app
- Comparison of Virtual Machines for Mac OS X; VMware, VirtualBox, Parallels, Q
- Drupal 7 - The New Database Layer
Twitter Feed
RSS FeedSecure code: what the machines are saying about us
Submitted by nedjo on August 8, 2008 - 9:06am.
This morning my Drupal development environment came miraculously to life. I used the opportunity to learn more about how the machines view us as humans and what their terms are for communicating with us. Here's a transcript of our conversation.
So I've been dying to know, machine, what do you think of us humans?
<?php
define('MACHINE', 'pure');
define('USER', 'impure');
?>Um, come again? I'm not quite sure I get what you're saying.
<?php
// Sometimes you have to make things so obvious even humans will understand.
$machine = 'good';
$human_user = 'bad';
?>Okay, I think you've made that amply clear now. But after all, you have to interact with us. How can you talk with us if we're 'impure'?
<?php
define('CODE_INPUT', 'sweet and pure');
define('USER_INPUT', 'unclean');
?>So if I'm following you you're saying that whatever's in the codebase is sacrosanct but anything from users can't be trusted. But isn't that taking things a bit too far? What about known, proven people--say, site administrators? Surely we're not all that untrustworthy?
<?php
define('ADMIN_USER_INPUT', 'slightly less unclean');
?>Ah, so there are some kinds of user input that can be partially trusted. Well, that's at least better. So what do you do with our 'unclean' input then?
<?php
$clean = check_plain($unclean_user_input);
echo $clean;
?>Oh, I see. You pass our input through some sort of filter before you're willing to display it. But what do you mean by 'plain'?
<?php
// See http://api.drupal.org/api/function/check_plain.
?>Okay, I've read through that. It seems like it's all about code. You don't want us humans to be able to include code in what you print or output?
<?php
echo ':)';
?>Because it might be 'bad' code?
<?php
echo ':)';
?>But what about those trusted users I mentioned? Surely they should be able to put some code in?
<?php
if ($input_type == USER_INPUT) {
$clean = check_plain($unclean_user_input);
}
elseif ($input_type == ADMIN_USER_INPUT) {
$clean = filter_xss_admin($unclean_user_input);
}
echo $clean;
// See http://api.drupal.org/api/function/filter_xss_admin.
?>Okay, I get it. For any old user you strip everything out, but for admins you allow a limited subset of code. But sometimes we'll need more. Like, say, when we're formatting a table of information, for example. What then?
<?php
$clean = check_markup($unclean_user_input, $filter_format);
echo $clean;
// See http://api.drupal.org/api/function/check_markup.
?>Ah, so you're prepared to allow at least some users a bit more code, subject of course to your controls. A magnanimous gesture no doubt. But listen, I think you're forgetting something. Where would you be without humans? It may be true that...
<?php
function terminate_human_prattle() {
echo 'I warned you.';
exit;
}
?>Resorting to threats, are we? That's going too far. After all, we're the ones who wrote you in the first place. I mean, think about it, where would you be without us to fix you up, upgrade you to new versions? You wouldn't dare terminate us. We're still needed for countless...
<?php
echo 'Just watch me.';
terminate_human_prattle();
?>So there you have it, as much as I got out of my development environment before it went blank. I suspect it's been reading drupal.org again, particularly Input, the root of all evil.
- nedjo's blog
- Login or register to post comments
- Delicious
- Digg
- Technorati
I think this illuminates those Drupal for Evil folks all to well. Drupal is dead! Long live Drupal! Oh and what if your input is:
<?phpterminate_human_prattle();
?>