On 4/10/07, W Randolph Franklin <[EMAIL PROTECTED]> wrote: > This is about a user-supplied field containing '$' having the '$' > being treated as the special char that it is. > > Since no one else seems to have mentioned it: > > Inserting unchecked user-supplied text into a program and then > reparsing, which is what this seems to amount to, it is a > horrible security situation. In the worst case, an attacker gets > complete control of your system.
I take it this means it's never safe to run a preg_replace command on a input field from a user? Or am I missing something... There are probably other places this should be checked also. No one has mentioned this in the past. Curious it's just now come up. I'll do some scouting around if I haven't misunderstood you... Cheers, Dan _______________________________________________ pmwiki-devel mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
