On Fri, 2009-05-22 at 05:01 -0700, Michael A. Peters wrote: > Make damn sure you validate the $username variable whatever solution > you > end up using.
Yeah, I have a funny story along those lines. I was doing the same sort of thing, but allowing it to change passwords for a user. Luckily it was an internal system, but I was still miffed at the smart-alec who thought it would be funny to change the root password! Needless to say, I added a lot of safeguards into the both the PHP script and the Bash script to protect the system users and enforce a strict naming policy on what was allowed to change, so that only users in the form 'prefix_joebloggs', 'prefix_simon', etc were allowed. Luckily the system was all still in testing when that little gem was found. I hit myself for being so stupid afterwards! Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
