[nycphp-talk] PHP Vulnerability
Daniel Convissor
danielc at analysisandsolutions.com
Fri Dec 17 16:22:16 EST 2004
On Fri, Dec 17, 2004 at 04:11:48PM -0500, csnyder wrote:
> Well gees -- you pass unsanitized user input to addslashes(), dontcha?
Uh, no.
If I expect something to be an integer, it better be an integer. If I
had to accept a file name, it wouldn't be allowed to have double
periods or slashes in it. I tend to check for length also. Etc...
Though, of course, I use PHP functions to do that checking. So, if
preg functions had a vulnerability... OUCH!
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list