|
|
Posted by John Nichel on 11/26/05 02:27
Matt Monaco wrote:
> Somewhat, but its what you need to do for the post and get arrays to work.
<snip>
No. Things like $_POST and $_GET are global arrays and work regardless
of the register_globals setting. The information you're handing out
above is wrong and dangerous.
</snip>
> What you need to do is make sure check the values in the global variables
> before you use them. For example if on one page you have a form for a user
> signup and <input type=text name='userName'> on the next page
> $_POST['userName'] should be checked for things like quotes and other
> characters that will alter your SQL statement before you actually INSERT
> that value into your table.
ie they should be sanitized. Things like mysql_real_escape_string() or
adding slashes (depending on your magic_quotes setting) should be done
prior to inserting any data. Also, you should check to ensure that it's
the data you expect; if you only allow usernames to contain
alpha-numeric characters, then you should check for that. Toss is out
if it contains something else.
Best rule of thumb: Never trust user input, regardless of the
register_globals setting.
--
By-Tor.com
....it's all about the Rush
http://www.by-tor.com
Navigation:
[Reply to this message]
|