I saw an article just a few days ago on "Hacking PHPNuke" that was an
excellant example of how the escape GPS thing saved a program from a major
security hole caused by a very minor oversite in less than 0.01% of the
code. Can't remember the name of the site...I think it was linked from
TheRegister.co.uk, but I can't recall. It had a kind of metallic greyish
look with small print.
Anyway, it's not a big thing if you're _really_ stringent about how you
check every single variable which is used in a database query,
system/passthru/exec, or eval command, and your checking methods are
flawless, but otherwise it's just best to go to the trouble of hacking
around the input explicitly.
Unless you're setting of PHP will only effect your application and no one
elses, and you don't have to worry about having the script run on a system
who's config you don't control, then knock yourself out. But it's a good
idea to pretend that the default settings of PHP can't be changed, since
most people have those settings and you don't want your code to be "system
dependent" :)
Plutarck
""Mark Rogers"" <[EMAIL PROTECTED]> wrote in message
9eb0sl$vvr$[EMAIL PROTECTED]">news:9eb0sl$vvr$[EMAIL PROTECTED]...
> > It's a feature of PHP that it automatically escapes data submitted in
> > PUT/GET/etc.
>
> It didn't seem to be happening with POST which is why I thought it odd,
but
> that probably means I didn't test properly :-)
>
> > It's nice in that it adds to how secure PHP code is, but it can be a
> hassle.
>
> Out of curiousity, what are the security implications? Presumably a
failure
> to validate input properly leading to unintended actions, but I can't
think
> of any examples to help me decide whether to turn this off.
>
> Thanks for the quick response.
> --
> Mark Rogers
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
