Re: [nyphp-talk] Input whitelist validation warning

Michael Southwell Thu, 17 May 2007 17:39:13 -0700

At 06:35 PM 5/17/2007, you wrote:

I just discovered a hole in a white list validation technique I bored from a PHP security book no, not Chris book.

uhh, there are actually two PHP security books written by someone named Chris. I can say that this is not Pro PHP Security by Chris Snyder ;-).

Beware in_array($_POST/GET[input], $whitelist)

Type matters. All input is string type and PHP will try to force type matching.

So the input string securityhole will match the int number 0.

FYI,
Cliff
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk


NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

Re: [nyphp-talk] Input whitelist validation warning

Reply via email to