NYCPHP Meetup

[nycphp-talk] PHP to ajax variable passing problem

csnyder chsnyder at gmail.com
Fri Aug 10 14:57:42 EDT 2007


On 8/9/07, Dell Sala <dell at sala.ca> wrote:
>
> json.org provides a json decoder for javascript. I've always used
> this instead of eval. This will only parse the json subset, and will
> fail for other arbitrary javascript.
>
> http://www.json.org/js.html
> http://www.json.org/json.js
>

That script makes it _much_ safer to parse untrusted json, and if
there was any way to exploit it at all, someone would have found it by
now.... but it still uses eval().

-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list