Sorry
> difficult to understand why and how unquoted strings can be
dangarous
This line should be
difficult to understand why and how unescaped strings can be dangerous
Regards,
--
Yasuo Ohgaki
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For
> Take for example the value of magic_quote_gpc. To be sure that your
script
> will work correctly, don't assume that it is alywas on (or off). So
> you can write
>
>
> if (!get_magic_qoute_gpc()) addslashes($var);
>
> or write a function myaddslashes that does the same thing.
Right. I don't like
On Wednesday 01 August 2001 13:51, Meir Kriheli wrote:
> I'm writing a form class which can also validate the form and I want to
> define the rules for validating the forms, so when defining the form I can
> add...
Sorry - I should have read your earlier post :)
I suspect that you are probably
On Wednesday 01 August 2001 15:46, Phil Driscoll wrote:
> > Is this staement safe ?
> >
> > eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]');
>
> Maybe I'm missing the point, but why not just go:
> $a = $GLOBALS["pass1"]==$GLOBALS["pass2"];
I'm writing a form class which can also validate the fo
> Is this staement safe ?
>
> eval('$a = $GLOBALS["pass1"]==$GLOBALS["pass2"]');
>
Maybe I'm missing the point, but why not just go:
$a = $GLOBALS["pass1"]==$GLOBALS["pass2"];
--
Phil Driscoll
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For addi
On Wednesday 01 August 2001 13:54, Yasuo Ohgaki wrote:
> > I don't think this is much of a problem. I unset() all the global
>
> session
>
> > variables before I use them so this should be no problem.
>
> All inputs (GET/POST/COOKIE) from users must be checked if you worriy
> about security. You m
On Wednesday 01 August 2001 10:20, Richard Lynch wrote:
> >> But I'm not
> >> using eval()
> >> directly on user entered data, and I can't see where it is possible.
>
> Yes, you are.
>
> pass1 is coming from the user, is it not?
>
> You are using eval() to decide if pass1 and pass2 are equal, are
> I don't think this is much of a problem. I unset() all the global
session
> variables before I use them so this should be no problem.
All inputs (GET/POST/COOKIE) from users must be checked if you worriy
about security. You might done already.
> Even if an attacker tries to set some value for
Hi Richard,
I guess you miss my point. I always suggest to check all user inputs
(GET/POST/COOKIE), they are all unsafe unless they are checked. Anyone
can spoof these variables easily with little knowledge and attackers
do not have to be experienced to attack PHP scripts. Elementally
school kids
> It does *NOT* stop a hacker from using GET/POST to initialize variables
that
> were never set. Turn on E_NOTICE, damnit.
Whoops. That part of my rant was patently false. I was on a roll, though
:-)
If register_globals is off, of course POST 'i' can't over-ride your
uninitialized $i variable
On Wednesday 01 August 2001 10:20, Richard Lynch wrote:
> >> But I'm not
> >> using eval()
> >> directly on user entered data, and I can't see where it is possible.
>
> Yes, you are.
>
> pass1 is coming from the user, is it not?
>
> You are using eval() to decide if pass1 and pass2 are equal, are
>> But I'm not
>> using eval()
>> directly on user entered data, and I can't see where it is possible.
Yes, you are.
pass1 is coming from the user, is it not?
You are using eval() to decide if pass1 and pass2 are equal, are you not?
You are therefore directly eval-ing user code.
> "register_g
On Wednesday 01 August 2001 02:02, Yasuo Ohgaki wrote:
> "Meir Kriheli" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
> > Hi,
> > I need another pair of eyes to see if I've overlooked something.
>
> SNIP
>
> > so
> > '{pass1}=={pass2}'
> >
> > is converted t
"Meir Kriheli" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi,
> I need another pair of eyes to see if I've overlooked something.
SNIP
> so
> '{pass1}=={pass2}'
>
> is converted to
> '$GLOBALS['pass1']==$GLOBALS['pass2']'
>
> When to form is validated I'm
14 matches
Mail list logo
