Hello.
Came across some code that startled me. Mostly because it goes against
the generally accepted idea of detecting and rejecting bad input instead
of trying to escape it, secondly because "it just feels wrong."
The only technical case I have so far is for inserting a double/single
quote into the database. It will get inserted as its htmlentities equiv
of '"' for example. In the future if they wanted to display the
data in the database in a format other than html it will be messy.
So... the question is: What else is wrong with this? or.. Why is this so
bad?
<?php
// blindly run everything in _REQUEST through htmlentities
function recursiveFilter($array)
{
foreach ($array as $key => $val)
{
if (is_array($val))
{
$return[$key] = recursiveFilter($val);
} else {
$return[$key] = htmlentities($val,ENT_QUOTES);
}
}
return $return;
}
$_REQUEST = recursiveFilter($_REQUEST);
// queries directly inserting from $_REQUEST
// echo'ing of data directly from $_REQUEST
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
