Stuart schreef:
> Please include the list when replying unless you're looking to hire me!
> 2009/3/11 filtered <>
>> On Wed, Mar 11, 2009 at 13:41, Stuart <> wrote:
>>> 2009/3/11 filtered <>
>>> $_GET['cam'] looks fine. $_GET['studio'] is not.
>>> I could build a URL that would output a javascript tag to do anything I
>> want
>>> from the security context of a page on your site. This is not good.
>>> Check out and associated functions.
>> More detailed question: is this code prone for attacking the local
>> web/php-server? I agree that it is weak with respect to XSS.
> Not on the face of it, but we would need a lot more of your code to decide
> that for certain, something which goes way beyond the scope of this list.
> But I would ask the question why it matters? It's bad so fix it. If you
> really have code like this anywhere in your site, escape it.
> Escape stuff coming in and escape stuff going out. There are no exceptions.

actually that should be: filter stuff coming in, escape stuff going out.

where 'coming in' really means any input vector (reading from db, from a file,
request input, etc) and 'going out' really means any output vector (writing to 
writing to file, outputting to browser, etc).

note that the filtering & escaping that you should be doing depends on the
context/vector in question (you escape data differently when writing to the db 
compared to outputting data.)

welcome to the web: where everyday we take the golden rule of keeping data, code
and presentation seperate ... and stick it in a blender (along with the data, 
the code
and the presentation)

... successfully filtering/escaping data out here means making sense of the
goop in the blender and 'doing the right thing' with it ... have fun with that,
I know I don't :-)

> Ever.
> -Stuart

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to