[EMAIL PROTECTED] wrote:
I was reading PHP Security Briefing from brainbulb.com (Chris Shiflett) and didn't get one thing: in example:<?php $clean = array(); if (ctype_alnum($_POST['username'])) { $clean['username'] = $_POST['username']; } ?> why to set the $clean as array? what's wrong if I use: <?php if (ctype_alnum($_POST['username'])) { $clean = $_POST['username']; } ?>
Richard already answered this pretty well, but I wanted to mention that this is not the only way to do things - it's just the method that I use. The idea is that I have a single variable ($clean) that I make sure to initialize, and because it's an array, I can store all filtered data (and only filtered data) in it.
You could use a naming convention like $clean_username, but then you would have numerous variables to initialize on each page, increasing the chances of you forgetting one (although E_ALL can help you catch these mistakes). I'm just going for the simplest approach - the easier I can make things, the less likely I am to make a mistake. :-)
The bottom line is that you need to be able to easily and reliably distinguish between filtered and tainted data. How you do this is up to you.
Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
