On 20 May 2010 15:52, Al <n...@ridersite.org> wrote:
> I agree blacklisting is a flawed approach in general. My approach is to
> strictly confine entry text to a whitelist of benign, acceptable tags. The
But that's not what you've done. You've blacklisted the following patterns:
"error_reporting\(0\)",//Most hacks I've seen make certain they turn
of error reporting
"\<?php",//Here for the heck of it.
and allowed everything else. A couple of examples:
You haven't blacklisted <iframe>
I can't tell from that list alone, but are your checks
case-insensitive? Because <ScRipT> would pass through a case-sensitive
We can go on like this all day, and at the end of it you still won't
be sure you've blacklisted everything.
The first answer at
is related, also.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php