[nycphp-talk] Input whitelist validation warning
csnyder
chsnyder at gmail.com
Fri May 18 16:46:39 EDT 2007
On 5/18/07, Cliff Hirsch <cliff at pinestream.com> wrote:
> REFUND!!! The book goes back!
Damn, no points for honesty in this town.
> Here's the condition that caught me:
>
> $whitelist = (0,1);
>
> in_array($_POST['input'], $whitelist);
Oh yeah, that'll get ya. Same as if ( $_POST['input'] == TRUE )...
lots of funny stories about that one.
I guess the rule of thumb is that you should always be validating
against strings, since that's what you get in the request. Then if you
specifically need the value to be bool, int, or float, cast it as such
post-validation.
Thanks for illustrating!
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list