Posted by Rasmus Lerdorf on 06/01/05 23:33

Andy Pieters wrote:
> $valid=array('from','authorize','order');
> #copy GET to POST
> if(count($_GET)>0)
> {foreach($_GET as $key=>$value)
> if(in_array($key,$valid))
> {$key=htmlspecialchars($key);
> $value=htmlspecialchars($value);
> $hiddens.=<<<___hid
> <input type="hidden" name="$key" value="$value">\n\t
> ___hid;
> }
> }

Ok, you are cleaning your input data nicely here.

> elseif(count($_POST)>0)
> foreach($_POST as $key=>$value)
> if( ($key!=='login') && ($key!=='name') && ($key!=='pass') )
> $hiddens.=<<<_hid_
> <input type="hidden" name="$key" value="$value">\n\t
> _hid_;

But what happened here? Why do you assume POST data is safe?

> if( (array_key_exists('savereferer',$_GET)) &&
> ($_GET['savereferer']=='yes'))
> {safeReferer($ref,$chksum);
> $hiddens.=<<<_ref_
> <input type="hidden" name="referer" value="$ref">\t
> \t<input type="hidden" name="checksum" value="$chksum">
> _ref_;
> }

I don't see where $ref comes from. I am assuming it somehow trickles
down from HTTP_REFERER? If so, did you clean it?

-Rasmus

• Next in forum: Re: [PHP] Security check
• Prev in forum: Re: [PHP] PHP 5 Question about OO
• Thread view: Re: [PHP] Security check

[Reply to this message]