NYCPHP Meetup

[Chuck Hagenbuch]

Quoting Cliff Hirsch <cliff at pinestream.com>:

> I just discovered a hole in a white list validation technique I bored from a
> PHP security book ‹ no, not Chris¹ book.
>
> Beware in_array($_POST/GET[Œinput¹], $whitelist)
>
> Type matters. All input is string type and PHP will try to force type
> matching.
>
> So the input string Œsecurityhole¹ will match the int number 0.

This is the kind of thing that the third argument to in-array is for -  
forces strict type checking:

http://us2.php.net/in-array

-chuck