Menu
▾
▴
Re: [PHPiCalendar-DEV] validating $_POST and $_GET values
|
From: David F. <da...@d2...> - 2005-05-17 00:51:22
|
note if you're doing this (good idea, btw), I should finish the openevent cleanup to just be a url instead of the form stuff. Let me know before hand, I need a day or so to finish that. Jim Hu wrote: > As part of an overall security sweep on my server, I'm thinking of > modifying my copy of phpicalendar to test the values of all > user-supplied variables. I think this would involve rewriting > init.inc.php (that's what always get's executed first, right? I would > use the general approach described in > > http://phpsec.org/projects/guide/1.html#1.1 > > where the tested variables from $_REQUEST[$key] get put into an array > called $clean['$key'], which replaces $_POST, $_GET, or $_REQUEST where > appropriate. This would mean modifying not only init.inc.php, but also > all files that use superglobals directly. > > I don't actually think there are currently security exploits for > phpicalendar, and I'm not sure how anyone would create one, but I've > been feeling paranoid, and I've been doing this for all my other code. > Any thoughts? Is there are reason not to do this? It will not be > compatible with versions of php prior to 4.1.0. > > Jim Hu > > > > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click > _______________________________________________ > Phpicalendar-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel > |
