[nycphp-talk] Managing form data with PHP
tedd
tedd at sperling.com
Fri Dec 14 09:41:49 EST 2007
At 12:53 PM -0500 12/13/07, David Mintz wrote:
>Once upon a time someone said it was a security risk to echo back
>$_POST data unconditionally, even if you escape it, and even though
>you are only showing them the very thing they just submitted to you.
>But I forget what that risk was. Maybe I misremember.
>
>I suppose if someone were to submit a string the length of War and
>Peace, it would squander bandwidth if you sent it back without
>truncating, but is that a true security risk?
>
>--
>David Mintz
Not that I experienced it, not that I'm correct, but the idea *I*
remember was that if you exceeded the length of a POST you could
crash the system and have your way with it. BUT, that was a long time
ago and things have changed.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
More information about the talk
mailing list