At 12:53 PM -0500 12/13/07, David Mintz wrote:
Once upon a time someone said it was a security risk to echo back
$_POST data unconditionally, even if you escape it, and even though
you are only showing them the very thing they just submitted to you.
But I forget what that risk was. Maybe I misremember.
I suppose if someone were to submit a string the length of War and
Peace, it would squander bandwidth if you sent it back without
truncating, but is that a true security risk?
--
David Mintz
Not that I experienced it, not that I'm correct, but the idea *I*
remember was that if you exceeded the length of a POST you could
crash the system and have your way with it. BUT, that was a long time
ago and things have changed.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
