|
|
Posted by Richard Davey on 06/08/05 18:01
Hello afan,
Monday, June 6, 2005, 6:39:09 PM, you wrote:
aan> I was reading PHP Security Briefing from brainbulb.com (Chris Shiflett)
aan> and didn't get one thing:
aan> in example:
aan> <?php
aan> $clean = array();
aan> if (ctype_alnum($_POST['username']))
aan> {
aan> $clean['username'] = $_POST['username'];
aan> }
?>>
aan> why to set the $clean as array? what's wrong if I use:
aan> <?php
aan> if (ctype_alnum($_POST['username']))
aan> {
aan> $clean = $_POST['username'];
aan> }
?>>
In your example $clean will only ever hold one value. In the original
the clean array can be used to hold all clean GET/POST values. Not
many forms only have one value. The most important thing to remember
though is that your array isn't really "clean", it's just "valid". I
believe the original point Chris was making was that you should never
trust that $_POST will only contain the values you expect it to - they
should be moved out into a clean array first for further inspection
and filtering, if anything else lingers in the $_POST array, it's most
likely been tainted.
Best regards,
Richard Davey
--
http://www.launchcode.co.uk - PHP Development Services
"I do not fear computers. I fear the lack of them." - Isaac Asimov
Navigation:
[Reply to this message]
|