[nycphp-talk] Input whitelist validation warning
csnyder
chsnyder at gmail.com
Fri May 18 16:19:32 EDT 2007
On 5/17/07, Cliff Hirsch <cliff at pinestream.com> wrote:
>
> I just discovered a hole in a white list validation technique I bored from
> a PHP security book — no, not Chris' book.
>
> Beware in_array($_POST/GET['input'], $whitelist)
>
> Type matters. All input is string type and PHP will try to force type
> matching.
>
> So the input string 'securityhole' will match the int number 0.
>
Hmmm, but it might as well be our book, because I don't immediately
see the problem...
$whitelist = array( 'foo', 'bar', 'baz' );
if ( !in_array( $_POST['input'], $whitelist ) ) {
exit( "Denied, you cad!" );
}
What is the condition under which that is exploited?
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list