[nycphp-talk] PHP Vulnerability
csnyder
chsnyder at gmail.com
Fri Dec 17 16:40:29 EST 2004
Daniel Convissor wrote:
> Though, of course, I use PHP functions to do that checking. So, if
> preg functions had a vulnerability... OUCH!
Heh. Exactly what I mean.
In this case, I actually have no idea what the specially crafted
string is that breaks unserialize() -- but if it's a string, and not
an insanely big one, then it would go through any input validation
unnoticed.
Especially if it was in, say, a message field where all you did was
strip_tags() and store it. Which is why I'm upgrading now.
More information about the talk
mailing list