On Nov 25, 2009, at 4:32 AM, Ashley Sheridan wrote:
> On Tue, 2009-11-24 at 23:27 -0800, Allen McCabe wrote:
>
>> If I were to loop through my inputs, I could just exclude any
>> problematic names, eg.:
>>
>> foreach ($_POST as $var = $val)
>> {
>> if ($var != filter.x || $var != filter.y)
>> {
>> $var = $val;
>> }
>> }
>>
>> Like that?
<!--snip-->
> Not really, what if someone else decided they wanted to throw in their
> own form field values in the hope of breaking your system? It's much
> better to be specifically looking for certain form fields and certain
> field values/ranges. For example, if you had some fields that would
> filter something by cost, you might have two form fields named 'max' and
> 'min' which would be ranges for the cost. You should check that these
> fields only contain numbers for example before processing them. Any data
> coming from the client-side is untrustworthy and should be regarded as
> tainted until you can prove otherwise.
>
> Thanks,
> Ash
The system Ash is referring to is a whitebox approach. You know what you should
get in, so only accept those values. A simple thing to accomplish what you're
trying to do, Allen, would be to create an array of required/accepted fields...
<?php
$acceptable = array('green', 'blue', 'red');
foreach ($_POST as $var => $val) {
if (in_array ($var, $acceptable)) {
// Do whatever here
} else {
// Not acceptable - throw error message or do nothing
}
}
?>
Hope that helps.
~Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
