|
|
Posted by Chris Shiflett on 06/08/05 18:39
afan@afan.net wrote:
> I was reading PHP Security Briefing from brainbulb.com (Chris
> Shiflett) and didn't get one thing:
> in example:
>
> <?php
> $clean = array();
> if (ctype_alnum($_POST['username']))
> {
> $clean['username'] = $_POST['username'];
> }
> ?>
>
> why to set the $clean as array? what's wrong if I use:
>
> <?php
> if (ctype_alnum($_POST['username']))
> {
> $clean = $_POST['username'];
> }
> ?>
Richard already answered this pretty well, but I wanted to mention that
this is not the only way to do things - it's just the method that I use.
The idea is that I have a single variable ($clean) that I make sure to
initialize, and because it's an array, I can store all filtered data
(and only filtered data) in it.
You could use a naming convention like $clean_username, but then you
would have numerous variables to initialize on each page, increasing the
chances of you forgetting one (although E_ALL can help you catch these
mistakes). I'm just going for the simplest approach - the easier I can
make things, the less likely I am to make a mistake. :-)
The bottom line is that you need to be able to easily and reliably
distinguish between filtered and tainted data. How you do this is up to you.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
Navigation:
[Reply to this message]
|