Hi,
finally i did this ( the most smart solution for protect EVERY variable
against malicious values ).
i put the $GLOBALS as $filtered ( using foreach ) , then i used eregi with
some common expressions and
after that i specified an action if some of the $GLOBALS have non-permitted
characters , simply a die() with a message.
Please , checkout the CVS , modified file is
/fronteend/php/include/security.php .
Best regards.
> Hi,
> I am working in a whole fix of the problem that $feedback presents ( no
> filtering of
> typical html/script characters ) .
> Because i am trying it in a personal installation of Savane there is no
> problem
> of making mistakes :)
> This a example of the code i am writing:
>
> if ($feedback)
> {
> $feedback = ereg_replace( "<", " -", $feedback );
> }
>
> if somebody wants to inject html code into $feedback it will replace the <
> with a - , so the code injection will be not possible.
>
> Other possibility: allow/disallow values of $feedback depending of their
> presence in an "allowed values" file.
> If an user puts a non-allowed value of $feedback it will return null
> content (no $feedback return ).
> This requires more coding but is really nice.
>
> Best regards.
> --------------------------------------
> Lorenzo Hernandez Garcia-Hierro
> <-><->-<-><-><-><-><-><-><-><->
> PGP: Keyfingerprint:
> 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B
> ID: 0x91805F5B
> http://www.tuxedo-es.org
> ______________________________________
>
>
>
>
> _______________________________________________
> Savane-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/savane-dev
>
>
