I just discovered a hole in a white list validation technique I bored from a PHP security book no, not Chris¹ book.
Beware in_array($_POST/GET[input¹], $whitelist) Type matters. All input is string type and PHP will try to force type matching. So the input string securityhole¹ will match the int number 0. FYI, Cliff
_______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
