On Friday 17 March 2006 15:10, Kevin Davies - Bonhurst Consulting wrote:
> I just picked up this thread, so excuse me if I'm repeating or have totally
> missed the point.
>
> Another concern I picked up from a PHP security book is using '--' - which
> simply comments out the remainder of the line (
http://www.virtuawebtech.co.uk
-Original Message-
From: tedd [mailto:[EMAIL PROTECTED]
Sent: 17 March 2006 14:30
To: php-general@lists.php.net; Rafael
Subject: Re: [PHP] Re: setcookie security concerns [medium]
Rafael:
>>>$thestyle= htmlentities($_POST['thestyle']);
>>set
(Comments inline)
tedd wrote:
[···]
From what I've read (PHP Cookbook by Sklar and other sources) the
reason why you don't want to use $_REQUEST is because it holds all the
variables from six global arrays, namely $_GET, $_POST, $_FILES,
$_COOKIE, $_SERVER, and $_ENV.
Actually, the
ass = '$pass'
Obviously restricting/validating form input entry would avoid this issue.
HTH,
Kevin
-Original Message-
From: tedd [mailto:[EMAIL PROTECTED]
Sent: 17 March 2006 14:49
To: php-general@lists.php.net; Rafael
Subject: Re: [PHP] Re: setcookie security concerns [medium]
Rafael wrote:
A tipical example would be a login script that uses the data
as it arrives, for example:
$login = $_POST['login'];
$passw = $_POST['passw'];
$sql = "SELECT * FROM user\n"
."WHERE( login = '$login' AND passw = '$passw' )";
In this case, what happens if I send so
Rafael wrote:
Actually, you receive $set via GET, so you should use $_GET
instead of $_POST. A lot of people use $_REQUEST (wich is a
combination of $_POST, $_GET and $_COOKIE -check the manual), but I
read somewhere that this isn't a good practice, though I don't
recall why :p
From what
Rafael:
Actually, you receive $set via GET, so you should use $_GET
instead of $_POST.
Yes, you are correct.
In my example --
http://www.sperling.com/examples/styleswitch/
-- the value doesn't look like it is being added to the url and thus
I mistakenly thought it was a POST. I wonder
(Comments inline)
tedd wrote:
[···]
One last question, considering the above code, would the following code
be a suitable replacement?
Actually, you receive $set via GET, so you should use $_GET instead of
$_POST. A lot of people use $_REQUEST (wich is a combination of $_POST,
$
Rafael:
You said:
Inspite of all this, I would really recomend you not to rely
on register_globals=On, since: it's not a good idea, it's actually
deprecated (someday it will be removed) and makes your code a little
bit more confused, since it's not clear where do that variables come
from.
As far as I see... I can't see any risk. Cookies are saved in the
client machine (i.e. the one visiting your site), so any code he might
send will be used with him only, and it will not affect other users nor
the scripts in the (remote) server.
Now, you're not using the input value in anyth
10 matches
Mail list logo
