On Fri, 2009-05-22 at 05:01 -0700, Michael A. Peters wrote:
> Make damn sure you validate the $username variable whatever solution
> you 
> end up using. 

Yeah, I have a funny story along those lines. I was doing the same sort
of thing, but allowing it to change passwords for a user. Luckily it was
an internal system, but I was still miffed at the smart-alec who thought
it would be funny to change the root password! Needless to say, I added
a lot of safeguards into the both the PHP script and the Bash script to
protect the system users and enforce a strict naming policy on what was
allowed to change, so that only users in the form 'prefix_joebloggs',
'prefix_simon', etc were allowed. Luckily the system was all still in
testing when that little gem was found. I hit myself for being so stupid


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to