here's my opinion on the matter.
it is not adviced to do filtering on _REQUEST getting data in general from
it actually. It is much better to specify where your data is coming from (
e.g. _POST or _GET). This is because variable _REQUST contains all the data
from the cookies, get and post. and if ever you have the same variable name
on two or more of those variable you might get the wrong one.
and as we all know there is a security risk with cookies. users can easily
replace you data for example in post using cookies.
hth,
john
On 2/13/07, Travis Doherty <travis@xxxxxxxxxxx> wrote:
Hello.
Came across some code that startled me. Mostly because it goes against
the generally accepted idea of detecting and rejecting bad input instead
of trying to escape it, secondly because "it just feels wrong."
The only technical case I have so far is for inserting a double/single
quote into the database. It will get inserted as its htmlentities equiv
of '"' for example. In the future if they wanted to display the
data in the database in a format other than html it will be messy.
So... the question is: What else is wrong with this? or.. Why is this so
bad?
<?php
// blindly run everything in _REQUEST through htmlentities
function recursiveFilter($array)
{
foreach ($array as $key => $val)
{
if (is_array($val))
{
$return[$key] = recursiveFilter($val);
} else {
$return[$key] = htmlentities($val,ENT_QUOTES);
}
}
return $return;
}
$_REQUEST = recursiveFilter($_REQUEST);
// queries directly inserting from $_REQUEST
// echo'ing of data directly from $_REQUEST
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
GMail Rocks!!!
