There are two main takeaways from this advisory:
1) PHP application programmers can and will misuse this function
(CVE-2008-4096, CVE-2007-5423), but most PHP code auditors probably
don't check for it yet. So it's good for awareness.
2) Any language that has an equivalent capability for c
On Mon, 29 Sep 2008, [EMAIL PROTECTED] wrote:
> On Thu, 25 Sep 2008, [EMAIL PROTECTED] wrote:
>
> > Are you kidding ?
> >
> > As the PHP manual said "if you use double quotes there will be a need to
> > escape the variable names".
> >
> > In your example you use a function with double quotes, with
On Thu, 25 Sep 2008, [EMAIL PROTECTED] wrote:
Are you kidding ?
As the PHP manual said "if you use double quotes there will be a need to escape the
variable names".
In your example you use a function with double quotes, without escaping the
variable $sort_by, so
this is not a PHP vulnerabili
Are you kidding ?
As the PHP manual said "if you use double quotes there will be a need to escape
the variable names".
In your example you use a function with double quotes, without escaping the
variable $sort_by, so
this is not a PHP vulnerability, but a development one.
For this time,
php use create_function function to CREATE an anonymous function like
below(stolen from php_manual):
--
Description
string create_function ( string args, string code )
Creates an anonymous function from the parameters passed, and returns a unique