[Fwd: Re: [PHP] Explanation in Shiflett's PHP Security Briefing]

2005-06-09 Thread [EMAIL PROTECTED]
Hm? Didn't see this one yesterday on the list? Let's try again :) -afan Chris Shiflett wrote: You forgot to filter your input. Shame! :-) Escaping alone can save you in many cases, but always filter input and escape output. I confess: I didn't forget. I did it just wrong :( Even I thought

Re: [PHP] Explanation in Shiflett's PHP Security Briefing

2005-06-08 Thread [EMAIL PROTECTED]
First, thanks guys for such a fast response :) Matthew Weier O'Phinney wrote: While the above would prevent most SQL injections, it could still wreak havoc with your database. For instance, what if your 'phone' or 'zip' fields in your database are integer fields, and text gets passed from the

Re: [PHP] Explanation in Shiflett's PHP Security Briefing

2005-06-08 Thread Chris Shiflett
[EMAIL PROTECTED] wrote: I got the point Chris was making: never believe _GET/_POST and use ctype_alnum(), mysql_real_escape_string(), htmlentities() - and I already started :) (Thanks Chris that was great for us beginners, already posted on few Bosnian php forums :)) You're welcome. :-) I

Re: [PHP] Explanation in Shiflett's PHP Security Briefing

2005-06-08 Thread Matthew Weier O'Phinney
* "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> : > Thanks Richard. > I got the point Chris was making: never believe _GET/_POST and use > ctype_alnum(), mysql_real_escape_string(), htmlentities() - and I > already started :) (Thanks Chris that was great for us beginners, > already posted on few Bosn

Re: [PHP] Explanation in Shiflett's PHP Security Briefing

2005-06-08 Thread Chris Shiflett
[EMAIL PROTECTED] wrote: I was reading PHP Security Briefing from brainbulb.com (Chris Shiflett) and didn't get one thing: in example: why to set the $clean as array? what's wrong if I use: Richard already answered this pretty well, but I wanted to mention that this is not the only way to

Re: [PHP] Explanation in Shiflett's PHP Security Briefing

2005-06-08 Thread [EMAIL PROTECTED]
Thanks Richard. I got the point Chris was making: never believe _GET/_POST and use ctype_alnum(), mysql_real_escape_string(), htmlentities() - and I already started :) (Thanks Chris that was great for us beginners, already posted on few Bosnian php forums :)) My question though was is the di

Re: [PHP] Explanation in Shiflett's PHP Security Briefing

2005-06-08 Thread Richard Davey
Hello afan, Monday, June 6, 2005, 6:39:09 PM, you wrote: aan> I was reading PHP Security Briefing from brainbulb.com (Chris Shiflett) aan> and didn't get one thing: aan> in example: aan> $clean = array(); aan> if (ctype_alnum($_POST['username'])) aan> { aan> $clean['username