Hm? Didn't see this one yesterday on the list?
Let's try again :)
-afan
Chris Shiflett wrote:
You forgot to filter your input. Shame! :-)
Escaping alone can save you in many cases, but always filter input and
escape output.
I confess: I didn't forget. I did it just wrong :( Even I thought
I was reading PHP Security Briefing from brainbulb.com (Chris Shiflett)
and didn't get one thing:
in example:
?php
$clean = array();
if (ctype_alnum($_POST['username']))
{
$clean['username'] = $_POST['username'];
}
?
why to set the $clean as array? what's wrong if I use:
Hello afan,
Monday, June 6, 2005, 6:39:09 PM, you wrote:
aan I was reading PHP Security Briefing from brainbulb.com (Chris Shiflett)
aan and didn't get one thing:
aan in example:
aan ?php
aan $clean = array();
aan if (ctype_alnum($_POST['username']))
aan {
aan
Thanks Richard.
I got the point Chris was making: never believe _GET/_POST and use
ctype_alnum(), mysql_real_escape_string(), htmlentities() - and I
already started :) (Thanks Chris that was great for us beginners,
already posted on few Bosnian php forums :))
My question though was is the
[EMAIL PROTECTED] wrote:
I was reading PHP Security Briefing from brainbulb.com (Chris
Shiflett) and didn't get one thing:
in example:
?php
$clean = array();
if (ctype_alnum($_POST['username']))
{
$clean['username'] = $_POST['username'];
}
?
why to set the $clean as array?
Hello afan,
Wednesday, June 8, 2005, 4:33:24 PM, you wrote:
aan My question though was is the difference in code I mentioned just
aan a habit of writing code or there is some more? Some security
aan issues too?
It was most likely just a coding habit - there was no discernable
difference between
* [EMAIL PROTECTED] [EMAIL PROTECTED] :
Thanks Richard.
I got the point Chris was making: never believe _GET/_POST and use
ctype_alnum(), mysql_real_escape_string(), htmlentities() - and I
already started :) (Thanks Chris that was great for us beginners,
already posted on few Bosnian php
[EMAIL PROTECTED] wrote:
I got the point Chris was making: never believe _GET/_POST and use
ctype_alnum(), mysql_real_escape_string(), htmlentities() - and I
already started :) (Thanks Chris that was great for us beginners,
already posted on few Bosnian php forums :))
You're welcome. :-)
I
First, thanks guys for such a fast response :)
Matthew Weier O'Phinney wrote:
While the above would prevent most SQL injections, it could still wreak
havoc with your database. For instance, what if your 'phone' or 'zip'
fields in your database are integer fields, and text gets passed from
9 matches
Mail list logo
