|
Posted by Rasmus Lerdorf on 06/01/05 23:33
Andy Pieters wrote:
> $valid=array('from','authorize','order');
> #copy GET to POST
> if(count($_GET)>0)
> {foreach($_GET as $key=>$value)
> if(in_array($key,$valid))
> {$key=htmlspecialchars($key);
> $value=htmlspecialchars($value);
> $hiddens.=<<<___hid
> <input type="hidden" name="$key" value="$value">\n\t
> ___hid;
> }
> }
Ok, you are cleaning your input data nicely here.
> elseif(count($_POST)>0)
> foreach($_POST as $key=>$value)
> if( ($key!=='login') && ($key!=='name') && ($key!=='pass') )
> $hiddens.=<<<_hid_
> <input type="hidden" name="$key" value="$value">\n\t
> _hid_;
But what happened here? Why do you assume POST data is safe?
> if( (array_key_exists('savereferer',$_GET)) &&
> ($_GET['savereferer']=='yes'))
> {safeReferer($ref,$chksum);
> $hiddens.=<<<_ref_
> <input type="hidden" name="referer" value="$ref">\t
> \t<input type="hidden" name="checksum" value="$chksum">
> _ref_;
> }
I don't see where $ref comes from. I am assuming it somehow trickles
down from HTTP_REFERER? If so, did you clean it?
-Rasmus
[Back to original message]
|