Posted by "Richard Lynch" on 07/11/05 05:34

On Fri, July 8, 2005 6:50 am, Jason Barnett said:
> virtualsoftware@gmail.com wrote:
> But what you *can* do, is to ini_get('register_globals') and have your
> script act accordingly. You could for example extract() your $_GET and
> $_POST variables.
>
> http://php.net/manual/en/function.extract.php

If *ALL* you're gonna do is:
<?php
extract($_GET);
extract($_POST);
?>

you might as well just turn register_globals *ON* and forget about Security.

You *MUST* use the new-fangled optional argument to specify which
variables you are expecting, at a minimum.

You also should "scrub" your data:

Typecast any data that has to be integer to (int). If it's different from
the original input data, bail out.

Check the length of any fixed-length data. md5 hashes should be 32 chars.
US states are 2-char. Country-codes, 2 char, etc.

Make a string of what you consider "kosher" characters for text typed in:
<?php
$kosher = "[^a-zA-Z0-9\"'\\.,:\\?;_-]";
?>

Use that $kosher to preg_replace every input:
$bio = preg_replace($kosher, '', $_POST['bio']);



--
Like Music?
http://l-i-e.com/artists.htm

• Next in forum: Re: [PHP] SESSION
• Prev in forum: Re: [PHP] Re: Security, Late Nights and Overall Paranoia
• Thread view: Re: [PHP] Re: Register globals and ini_set

[Reply to this message]