[snip]
If you code properly, you could get away with turning register_globals
on, but this requires you to be very careful when thinking about the
logic of your code.
[/snip]
I really do hate to see the misconception about register globals
continue. The bottom line is variable handling,
--- Jay Blanchard [EMAIL PROTECTED] wrote:
[snip]
If you code properly, you could get away with turning register_globals
on, but this requires you to be very careful when thinking about the
logic of your code.
[/snip]
I really do hate to see the misconception about register globals
Chris Shiflett mailto:[EMAIL PROTECTED]
on Monday, November 10, 2003 8:21 PM said:
It would probably need to be either very short or very long.
Yes, I would prefer very long so as to be as complete as possible.
2. The session id should not be stored on the client.
I'm not sure I agree
--- Chris W. Parker [EMAIL PROTECTED] wrote:
My original thinking was that I wouldn't be using the session id as I
would the unique identifier because of point #2 (you shouldn't store the
session id on the client). But since you point out that storing the
session id is a necessary evil (if I
[snip] It might be best to not try and definitely declare what counts as
foreign data, because it's a sort of everything else type of thing. If
it doesn't originate within the PHP script itself, it is foreign.[/snip]
What about data from a database which is retrieved within the PHP
script? Would
[snip]
Hmmm... ok so that's all I can think of. I think it'd be a really great
thing for the community if this list was corrected and added too in a
detailed way (such as I've tried to do here).
Looking forward to all the responses.
[/snip]
All these responses and nobody has said anything about
--- Pablo Gosse [EMAIL PROTECTED] wrote:
[snip] It might be best to not try and definitely declare what counts as
foreign data, because it's a sort of everything else type of thing. If
it doesn't originate within the PHP script itself, it is foreign.[/snip]
What about data from a database
Andre Volmensky mailto:[EMAIL PROTECTED]
on Wednesday, November 12, 2003 2:17 PM said:
All these responses and nobody has said anything about
register_globals?
heh, I guess you're right.
Feel free to elaborate on what you mean for those of us that don't know
what's up with
[snip]
All these responses and nobody has said anything about
register_globals?
heh, I guess you're right.
Feel free to elaborate on what you mean for those of us that don't know
what's up with register_globals.
[/snip]
Well it's all at http://www.php.net/register_globals for anyone that
Chris Shiflett wrote:
In some cases, the developer may want certain
HTML elements interpreted rather than escaped
in this way. Perhaps you could mention that
something like str_replace() can be used to
convert specific HTML entities back to their
original form. This method should
--- Lawrence Kennon [EMAIL PROTECTED] wrote:
For a BBS I would like to let users post links to various resources.
They 'post' a message to the BBS via a form and that is stored in a
MySQL db, then the content of their 'post' is available to other users
on the BBS. Currently I strip out all
Chris W. Parker wrote:
10. Use htmlentities() on data that will be put through a SQL query to
prevent XSS attacks. http://php.net/htmlentities
How is it going to interact with MySQL FULLTEXT
search SQL queries, where the characters and
are in use as modifiers?
--
Seks, seksi,
--- Adam i Agnieszka Gasiorowski FNORD [EMAIL PROTECTED] wrote:
Chris W. Parker wrote:
10. Use htmlentities() on data that will be put through a SQL query to
prevent XSS attacks. http://php.net/htmlentities
How is it going to interact with MySQL FULLTEXT
search SQL queries, where
Lawrence Kennon wrote:
For a BBS I would like to let users post links to
various resources. They 'post' a message to the BBS
via a form and that is stored in a MySQL db, then the
content of their 'post' is available to other users on
the BBS. Currently I strip out all PHP/HTML with the
Lawrence Kennon wrote:
For a BBS I would like to let users post links to
various resources. They 'post' a message to the BBS
via a form and that is stored in a MySQL db, then the
content of their 'post' is available to other users on
the BBS. Currently I strip out all PHP/HTML with the
--- Chris W. Parker [EMAIL PROTECTED] wrote:
What I'd like to do is gather enough info to be able to write a good,
short (heck in can be long, I don't care) write up on what it takes to
write a secure app and be able to post a link to said document any time
someone asks a question security
Nice work chris, you have left precious little for the others to comment
on :-)
10. Use htmlentities() on data that will be put through a SQL query to
prevent XSS attacks. http://php.net/htmlentities
This is a nice suggestion. While htmlentities() cannot be guaranteed to
defend against all
17 matches
Mail list logo
