Would it be a good idea to declare which parameters are allowed from
outside, and which are internal to the application?
If you set
if ($user_string=='input' && $internal_allowed=='true') {
...
}
anybody can spoof $internal_allowed.
However, if you must set this script up like this:
accept_parameters($user_string); // or something similar
if ($user_string=='input' && $internal_allowed=='true') {
// ...
}
then nobody can spoof $internal_allowed (since outside modification is not
accepted).
Yes, this would break existing scripts.
On the plus side, the programmer must explicitly declare what is accepted
from users, and what isn't. This is a good thing, as it makes programmers
aware of what users can or cannot change. Now they know that $user_string
can be anything, while $internal_allowed is completely safe.
Just my 2 cents...
Cheerio, Marc.
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
