[nycphp-talk] Input whitelist validation warning
Cliff Hirsch
cliff at pinestream.com
Thu May 17 20:45:52 EDT 2007
You are right ― I forgot about Chris Snyder’s excellent book.
On 5/17/07 8:39 PM, "Michael Southwell" <michael.southwell at nyphp.com> wrote:
> At 06:35 PM 5/17/2007, you wrote:
>> I just discovered a hole in a white list validation technique I bored from a
>> PHP security book no, not Chris’ book.
>
> uhh, there are actually two PHP security books written by someone named Chris.
> I can say that this is not Pro PHP Security by Chris Snyder ;-).
>
>> Beware in_array($_POST/GET[‘input’], $whitelist)
>>
>> Type matters. All input is string type and PHP will try to force type
>> matching.
>>
>> So the input string ‘securityhole’ will match the int number 0.
>>
>> FYI,
>> Cliff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070517/7c3d6692/attachment.html>
More information about the talk
mailing list