[nycphp-talk] Input whitelist validation warning
Cliff Hirsch
cliff at pinestream.com
Thu May 17 18:35:20 EDT 2007
I just discovered a hole in a white list validation technique I bored from a
PHP security book ‹ no, not Chris¹ book.
Beware in_array($_POST/GET[Œinput¹], $whitelist)
Type matters. All input is string type and PHP will try to force type
matching.
So the input string Œsecurityhole¹ will match the int number 0.
FYI,
Cliff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070517/61fffef0/attachment.html>
More information about the talk
mailing list