On Fri, July 8, 2005 6:50 am, Jason Barnett said:
> virtualsoftware@xxxxxxxxx wrote:
> But what you *can* do, is to ini_get('register_globals') and have your
> script act accordingly. You could for example extract() your $_GET and
> $_POST variables.
>
> http://php.net/manual/en/function.extract.php
If *ALL* you're gonna do is:
<?php
extract($_GET);
extract($_POST);
?>
you might as well just turn register_globals *ON* and forget about Security.
You *MUST* use the new-fangled optional argument to specify which
variables you are expecting, at a minimum.
You also should "scrub" your data:
Typecast any data that has to be integer to (int). If it's different from
the original input data, bail out.
Check the length of any fixed-length data. md5 hashes should be 32 chars.
US states are 2-char. Country-codes, 2 char, etc.
Make a string of what you consider "kosher" characters for text typed in:
<?php
$kosher = "[^a-zA-Z0-9\"'\\.,:\\?;_-]";
?>
Use that $kosher to preg_replace every input:
$bio = preg_replace($kosher, '', $_POST['bio']);
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
