Sorry
> difficult to understand why and how unquoted strings can be
dangarous
This line should be
difficult to understand why and how unescaped strings can be dangerous
Regards,
--
Yasuo Ohgaki
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For
> Take for example the value of magic_quote_gpc. To be sure that your
script
> will work correctly, don't assume that it is alywas on (or off). So
> you can write
>
>
> if (!get_magic_qoute_gpc()) addslashes($var);
>
> or write a function myaddslashes that does the same thing.
Right. I don't like
On Wednesday 01 August 2001 13:51, Meir Kriheli wrote:
> I'm writing a form class which can also validate the form and I want to
> define the rules for validating the forms, so when defining the form I can
> add...
Sorry - I should have read your earlier post :)
I suspect that you are probably
On Wednesday 01 August 2001 15:46, Phil Driscoll wrote:
> > Is this staement safe ?
> >
> > eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]');
>
> Maybe I'm missing the point, but why not just go:
> $a = $GLOBALS["pass1"]==$GLOBALS["pass2"];
I'm writing a form class which can also validate the fo
> Is this staement safe ?
>
> eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]');
>
Maybe I'm missing the point, but why not just go:
$a = $GLOBALS["pass1"]==$GLOBALS["pass2"];
--
Phil Driscoll
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For addi
On Wednesday 01 August 2001 13:54, Yasuo Ohgaki wrote:
> > I don't think this is much of a problem. I unset() all the global
>
> session
>
> > variables before I use them so this should be no problem.
>
> All inputs (GET/POST/COOKIE) from users must be checked if you worriy
> about security. You m
On Wednesday 01 August 2001 10:20, Richard Lynch wrote:
> >> But I'm not
> >> using eval()
> >> directly on user entered data, and I can't see where it is possible.
>
> Yes, you are.
>
> pass1 is coming from the user, is it not?
>
> You are using eval() to decide if pass1 and pass2 are equal, are
> I don't think this is much of a problem. I unset() all the global
session
> variables before I use them so this should be no problem.
All inputs (GET/POST/COOKIE) from users must be checked if you worriy
about security. You might done already.
> Even if an attacker tries to set some value for
On Wednesday 01 August 2001 10:20, Richard Lynch wrote:
> >> But I'm not
> >> using eval()
> >> directly on user entered data, and I can't see where it is possible.
>
> Yes, you are.
>
> pass1 is coming from the user, is it not?
>
> You are using eval() to decide if pass1 and pass2 are equal, are
On Wednesday 01 August 2001 02:02, Yasuo Ohgaki wrote:
> "Meir Kriheli" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
> > Hi,
> > I need another pair of eyes to see if I've overlooked something.
>
> SNIP
>
> > so
> > '{pass1}=={pass2}'
> >
> > is converted t
10 matches
Mail list logo