You are right ― I forgot about Chris Snyder’s excellent book. On 5/17/07 8:39 PM, "Michael Southwell" <[EMAIL PROTECTED]> wrote:
> At 06:35 PM 5/17/2007, you wrote: >> I just discovered a hole in a white list validation technique I bored from a >> PHP security book no, not Chris’ book. > > uhh, there are actually two PHP security books written by someone named Chris. > I can say that this is not Pro PHP Security by Chris Snyder ;-). > >> Beware in_array($_POST/GET[‘input’], $whitelist) >> >> Type matters. All input is string type and PHP will try to force type >> matching. >> >> So the input string ‘securityhole’ will match the int number 0. >> >> FYI, >> Cliff
_______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
