On Nov 25, 2009, at 4:32 AM, Ashley Sheridan wrote:

> On Tue, 2009-11-24 at 23:27 -0800, Allen McCabe wrote:
>> If I were to loop through my inputs, I could just exclude any
>> problematic names, eg.:
>> foreach ($_POST as $var = $val)
>> {
>>   if ($var != filter.x || $var != filter.y)
>>  {
>>    $var = $val;
>>  }
>> }
>> Like that?


> Not really, what if someone else decided they wanted to throw in their
> own form field values in the hope of breaking your system? It's much
> better to be specifically looking for certain form fields and certain
> field values/ranges. For example, if you had some fields that would
> filter something by cost, you might have two form fields named 'max' and
> 'min' which would be ranges for the cost. You should check that these
> fields only contain numbers for example before processing them. Any data
> coming from the client-side is untrustworthy and should be regarded as
> tainted until you can prove otherwise.
> Thanks,
> Ash

The system Ash is referring to is a whitebox approach. You know what you should 
get in, so only accept those values. A simple thing to accomplish what you're 
trying to do, Allen, would be to create an array of required/accepted fields...

$acceptable = array('green', 'blue', 'red');
foreach ($_POST as $var => $val) {
    if (in_array ($var, $acceptable)) {
        // Do whatever here
    } else {
        // Not acceptable - throw error message or do nothing

Hope that helps.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to