""Dan"" <frozendice@xxxxxxxxx> wrote in message news:90.5A.33385.EA195774@xxxxxxxxxxxxxxx > > You really need to filter your input more, have a list of what is > acceptable not what is unacceptable. That being, make it a requirement > that the url input has a TDL(.com, .net, .org, etc.) or is a valid IP(ping > it), only allow alphanumerics for the name, etc. When you don't validate > your site can get hacked, I know it's not really insecure but it's just an > example of input you may not expect, if you try to validate > http://localhost it goes ahead and validates your server's html. I make sure it starts with "http:" or "https:" and change spaces to %20 so it will work. I also check for some possible recursion issues. I think I'm fairly secure just doing that. What could happen security wise? What else do you think I need to do? I don't want to check for a TLD as there are many and I don't think it is necessary... and pinging doesn't seem like a good idea either as some servers probably won't respond to pings. The localhost issue is interesting, but I don't see it as a security issue. I would like to know if there are any serious secirity issues I may be overlooking though. Thanks, Albert -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
