about performance and
reading from the database every time in the same sentence.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
guess would be that it doesn't cope. :-) I never use strip_tags(),
so someone else might be able to offer a much better answer.
Hope that helps, and thanks for the discussion.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit
On Oct 17, 2008, at 1:58 PM, Lamp Lists wrote:
I'm reading Essential PHP Security by Chris Shiflett.
on the very beginning, page 5 6, if I got it correct, he said this
is not good:
$search = isset($_GET['search']) ? $_GET['search'] : '';
and this is good:
$search = '';
if (isset($_GET
.), and based on the fact that Richard said he has a
lot of experience in this industry, I suspect his estimate was spot on.
You're right, though, it's difficult to get any return on your time
investment. :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http
Crayon Shin Chan wrote:
What makes you think any of the authors are subscribed to this list?
I'm subscribed. :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
-expired-warnings
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
::ATTR_EMULATE_PREPARES, TRUE);
For more information:
http://netevil.org/blog/2006/apr/using-pdo-mysql
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
recommend it:
http://phpsecurity.org/reviews
Are all of these people fools, or is it really a good book?
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
with the author.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss
If you want to allow a larger subset, or you're just looking for a
packaged solution, try HTML Purifier:
http://htmlpurifier.org/
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net
an update that I need to publish, but this should be enough to
explain the potential problems this technique can help prevent.)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Dotan Cohen wrote:
I recommend you dig deeper into that xss page you might even
find a script that filters xss.
Obviously I keep missing it.
You might find these examples useful:
http://phpsecurity.org/code/ch01-3
http://phpsecurity.org/code/ch01-4
Hope that helps.
Chris
--
Chris
this be exploited?
If you ever use htmlentities() to escape data for SQL or
mysql_real_escape_string() to escape data for HTML, then yes, it is
dangerous. Escaping functions are context-dependent.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http
doesn't actually mean always, but I
can't remember the exact scenario. Perhaps it doesn't populate that
variable when the Content-Type is application/x-www-form-urlencoded, and
it does in all other cases.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List
problem I can recall someone having with header() was a
result of either:
1. Headers already being sent, as others have guessed.
2. The argument passed to header() being malformed, and the browser
doesn't interpret the malformed header as desired.
Hope that helps.
Chris
--
Chris Shiflett
http
Hi Chris,
But sometimes when I'm back at the form page (after the redirect)
and I refresh the page it does the previous page's actions again.
Can you provide a raw HTTP dump of the complete scenario?
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http
: ...') does. Or both.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Can you provide a raw HTTP dump of the complete scenario?
Two things:
1. How do I do that?
Probably the easiest thing to do these days is use a Firefox extension
like Firebug or LiveHTTPHeaders.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http
/addslashes-versus-mysql-real-escape-string
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
).
If escaping the entire query actually did anything useful, databases
would do this for us, and we've never be discussing this topic.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Tijnema wrote:
Did you guys ever noted that little arrow down just right of
the back button, where you can go back 2 steps at once, so you
don't have to click very fast?
I think we both remember browsing before that feature was invented.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP
= $event;
} elseif ($event['n'] == 'eventnextoccurrencedate') {
$date = date('D, M d Y H:i:s', strtotime($event));
}
}
echo trtd{$name}/tdtd{$date}/td/tr\n;
}
?
/table
Gotta love SimpleXML. :-)
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing
contact them to see what they recommend.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
won't have to worry about it again.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
if there's an erroneous Content-Length
header or something that might cause the client to think it has read all
of the response when it hasn't.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net
magic_quotes_gpc is bad...
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
John Nichel wrote:
I'm just popping in now to let y'all know that I'm off to join
people like John and Jason in the world of, what ever happened
to him.
Thanks for your contributions over the years, John.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http
as Content-Disposition. :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
received.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Tim wrote:
Considering bruce wants to be able to display the data and then
change location after a given time, and as stut said you can't
do this with a header() as it redirects before output
Sure you can. Just use a Refresh header instead of Location.
Chris
--
Chris Shiflett
http
Richard Lynch wrote:
The old school HTTP-EQUIV of a refresh with a time and URL
would probably be suitable for this.
YMMV
And it's still not PHP. :-)
It is if you use header(). :-)
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net
/184
It highlights the importance of character encoding consistency by
demonstrating an SQL injection attack that is immune to addslashes() but
not mysql_real_escape_string().
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net
Larry Garfield wrote:
I've run into this sort of issue a few times before, and never
found a good solution.
Not sure if this is the solution you're looking for, but you can convert
them to regular quotes:
http://shiflett.org/archive/165
Hope that helps.
Chris
--
Chris Shiflett
http
is included just as if it were the content of a local file.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
using an old version of PHP, you should try reversing the
order of the header() calls in your example, if you haven't already.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
with several more with a bit of thought. Of
course, I'd love to be proven wrong and shown a really great solution.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
your request is sort of impossible since I'm not about to guess.
I'm currently writing a test suite for this, and I'd be happy to test
any solution you've written.
But, to be quite honest, if you think the problem is trivial, your
solution isn't likely to be very useful to me.
Chris
--
Chris
this for all output.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[EMAIL PROTECTED] wrote:
I'd like to have the output as {11: 22}.
My previous example demonstrates that:
echo {{$foo}: {$bar}};
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
consider this a workaround. It's clean, intuitive syntax for
exactly these types of scenarios.
Hope that helps.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Kevin Murphy wrote:
I keep getting garbage characters in there, usually
associated with Smart Quotes.
This might be helpful:
http://shiflett.org/archive/165
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http
. Want to write it? :-) I'd be happy to help.
Chris
--
Chris Shiflett
http://shiflett.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
consistency is even more important in that context:
http://shiflett.org/archive/178
Hope that helps.
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
is redundant, since that's the default value in
HTTP/1.1.
I would send the header but give it a value of close, since I see no
good reason to leave the TCP connection open until it times out. That's
a pretty big waste in a situation where overhead matters.
Hope that helps.
Chris
--
Chris Shiflett
Adam Zey wrote:
$headers .= Content-Type: application/octet-stream\r\n;
I missed the context of this function, but it seems like you probably
mean to send:
Content-Type: application/x-www-form-urlencoded
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
--
PHP General Mailing
tedd wrote:
Barry says you can use these three:
header(Content-Type: application/force-download);
header(Content-Type: application/octet-stream);
header(Content-Type: application/download);
Richard says only use this one:
header(Content-type: application/octet-stream);
And, you say use both.
Barry wrote:
You can send every header twice, triple. a zillion
times if you want.
Sure, but you have to know how to use header():
http://php.net/header
By default it will replace, but if you pass in FALSE as the second
argument you can force multiple headers of the same type.
Regardless,
Richard Lynch wrote:
It is possible that all modern browsers have given
in to whichever johnny-come-lately 'standard' made
up the Content-disposition header.
The original RFC for it is dated June 1995, so it's not too recent.
There are plenty of useful aspects of HTTP not defined in RFC 2616.
I wrote an article on this subject that might help:
http://shiflett.org/articles/guru-speak-nov2004
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
and explanation, the header() function only gets called
if there are no errors.
Hope that helps.
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Jochem Maas wrote:
a. php will actually implement static late binding
b. Zend Framework's 'DataObject' class will make use of said late
binding to do cool things like Person::findAll( $myFilter ) with
out having to actually implement a findAll method in the Person
class
I have read indications
John Taylor-Johnston wrote:
Scrolling back and forward through my PHP generated search
engine, my browser (FF) alerts to remind me that I have post
data. What kind of header can I add to avoid it doing that?
I have a pretty detailed article about this on my web site:
Dallas Cahker wrote:
I was looking to see if there was a quick checklist of settings
for php to be disabled/enabled in the ini file to make the
application more secure.
Although there are some directives worth disabling (register_globals,
magic_quotes_gpc, allow_url_fopen), most
Wolf wrote:
What I am interested in finding out is what the best way is to
make sure that I can rework the upload area to allow upload and
download from it while keeping script kiddies from exploiting
it again.
I can post the scripts
If your scripts are very long, most of us won't take the
Mark Kelly wrote:
You can also use something like:
echo meta http-equiv=\Refresh\ content=\0;url=$from_page\;
There's no need to use a meta tag to mimic HTTP headers. PHP provides
the header() function.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
Angelo Zanetti wrote:
So should i avoid magic_quotes_gpc all together?
In my opinion, yes.
my local development server has them enabled and when testing
the input of a textfield that does a select query I input 'hello'
(including single quotes) and it works really well with the
single quotes
Mark Kelly wrote:
You can also use something like:
echo meta http-equiv=\Refresh\ content=\0;url=$from_page\;
There's no need to use a meta tag to mimic HTTP headers. PHP
provides the header() function.
I have been using that method when I got part-way through some
processing that
Joe Wollard wrote:
I made fun of Chris and Rasmus specifically because I
know they're on this list.
I appreciate being considered important enough to make fun of.
Thanks! :-)
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Jon Anderson wrote:
IfModule mod_ssl.c
...
SetEnvIf User-Agent .*MSIE.* nokeepalive ...
...
/IfModule
I seem to recall this being due to a bug in Internet Explorer that keeps
the connection open longer than necessary, tying up server resources.
George Schlossnagle has a formula for
Merlin wrote:
I am wondering if I am opening a potential security risk by
including files on remote servers.
Yes.
I am doing an include ('http:/www.server.com/file.html') inside
a php script of mine to seperate content from function. Content
is produced by a friend of mine and I do not want
If I perform stripslashes first, then the process doesn't work.
I usually raise eyebrows with this statement, but you should never (with
very, very few exceptions) need to unescape anything. Ever.
Richard was pointing out that the only reason you would need to strip
slashes after retrieving
tedd wrote:
I usually raise eyebrows with this statement, but you should
never (with very, very few exceptions) need to unescape
anything. Ever.
What's this then?
http://us3.php.net/mysql_real_escape_string
That's an escaping function.
Chris
--
PHP General Mailing List
João Cândido de Souza Neto wrote:
I tried it yet, if a put a echo $_SESSION[root] before or
after the include, it works fine, it doesn't work in the
file top.php.
Show us the code. What you're describing should not be possible.
Chris
--
PHP General Mailing List (http://www.php.net/)
To
João Cândido de Souza Neto wrote:
Show us the code.
... Some codes ...
That doesn't count. :-)
You're describing a situation that I seriously doubt is reflected in
your code. Reduce the problem to the simplest example you possibly can,
and then show us the code.
Chris
--
PHP General
Jon Anderson wrote:
It seems to work okay, except that at the TCP level, the client
keeps initiating new connections for every soap request rather
than using a single connection for multiple requests. One
possible reason for this is that the server sends a Connection:
close HTTP header after the
Jon Anderson wrote:
Keep alives are definitely configured in the server - I can
request scripts multiple times manually from a telnet client.
In that case, I think a good next step would be to examine the HTTP
request. One guess is that the request you type in manually with telnet
is
Chris wrote:
If you're doing an exit() or die() or the script stops executing
that's like you closing the connection - so apache is going to
close the connection (as it should).
The connection Jon is talking about is the TCP connection, just in case
that's not clear. I'm not sure what
Rostislav Krasny wrote:
Why there is no newline afer pHello World/p?
Is it a PHP bug or the tutorial should be updated?
I discuss this here: http://shiflett.org/archive/151
It's a feature of PHP that has some advantages and disadvantages, and
it's not likely to change (consistency has merit,
it first. In your case, this is
particularly easy, because you can just make sure that the value is one
of the few valid values.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit
{
/* ... */
}
}
else
{
/* ... */
$v = new Validation;
$v-checkEmpty($_POST[name]);
If the form is submitted, define the class, else use the class. That
doesn't sound right...
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing
Alain Roger wrote:
I have a link in my web page and when user click on this link, i would
like to execute a PHP function with a parameter.
You'll need to initiate a new request. Browsers don't execute PHP code.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com
been escaped with something like
mysql_real_escape_string(). You want to do that when you're using it in
a MySQL query, not when you use it in an email.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http
Dan Lowe wrote:
It's implied right on the front page it's not directly run by Google.
I'm not sure why it matters, but the real Google store appears to use ASP:
http://www.googlestore.com/home.asp
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General
I'm not sure why it matters, but the real Google store appears to use ASP:
http://www.googlestore.com/home.asp
My mistake. Apparently there are different sites for different countries.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List
data.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
. In a few months, it might be something to consider.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
), and you'll see that I use this function on everything I
use in my SQL queries, even when it seems ridiculous to do so:
$access = time();
$access = mysql_real_escape_string($access);
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General
/online_artikel/psecom,id,667,nodeid,114.html
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
the
GET method is indicated in a form's method attribute.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Hope that helps!
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
://shiflett.org/articles
Hope that helps!
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Joe Harman wrote:
Okay...makes sense after you spelled it out to me.
That didn't make sense to me (and I missed the original reply). Mind
elaborating? :-)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net
getting the buffering and flushing concepts reversed? Think
of a toilet - buffering is the handle up, and flushing is the handle
down. :-)
Hope that helps!
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net
= $_SESSION['array_for_popup'];
// .. do your magic.
// optionally clean things up. so the session var is removed.
unset($_SESSION['array_for_popup']);
?
Don't forget session_start(). :-)
(You might have session.auto_start enabled, but it's not by default.)
Chris
--
Chris Shiflett
Brain Bulb, The PHP
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Mathijs wrote:
How can i add more callback_outputs to ob_start?
I want to have both: ob_start('switchContent');
and: ob_start('ob_gzhandler');
I don't think you can, but you could have a single function that calls
both, then specify that function in ob_start().
Chris
--
Chris Shiflett
to distinguish between the history
mechanism and caches, a distinction that doesn't naturally exist.
I don't really fault Firefox for abiding by the no-store directive, nor
do I fault Internet Explorer for ignoring it.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http
is no. :-)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
. :-)
For example, filter the data you receive from the client before passing
it as arguments to the mail() function.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http
]/path/to/script.php
I think it's pretty important to understand the difference as well as
the relationship. Once you do, your question might go away.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net
(XSS) vulnerability.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Angelo Zanetti wrote:
I've been searching for where the time is set for a session to
expire but had little luck.
I think you might be looking for the session.gc_* directives. These
control the session mechanism's garbage collection.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb
Angelo Zanetti wrote:
I've googled but found so many pages that I'm not sure what to use.
I want to use PHP to make use of SOAP.
If you're using PHP 5, this is a good option:
http://php.net/soap
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com
, but this is a job for sscanf():
http://php.net/sscanf
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
for extra performance. So I sanitize data
on input only.
Sanitizing is an alias for filtering and has nothing to do with
escaping. One should never be considered a substitute for the other,
although this is a common mistake.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http
of the string is meant to be only data. In
this case, the data is Chris, Shiflett, New York, and NY. The HTML tags
are meant to be interpreted. As the developer, that's easy for me to
know, but it's hard to make this easier to keep up with. At best, any
solution requires developers to declare their intent
Chris Shiflett wrote:
However, most security issues like XSS and SQL injection aren't
really input filtering problems. Often, input filtering can
effectively eliminate these vulnerabilities (and there's no
excuse to not be filtering input), but escaping addresses the
root cause of the problem
provided, $_POST['pass']
is the password provided by the user.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
1 - 100 of 1537 matches
Mail list logo