Menu
▾
▴
[PHPiCalendar-DEV] Re: validating $_POST and $_GET values
|
From: Jim Hu <ji...@ta...> - 2005-05-17 04:13:37
|
OK, I'll wait. I'll move on to other parts of my site. Jim On May 16, 2005, at 10:13 PM, php...@li... wrote: <snip> > Message: 5 > Date: Mon, 16 May 2005 17:51:15 -0700 > From: David Fallon <da...@d2...> > To: php...@li... > Subject: Re: [PHPiCalendar-DEV] validating $_POST and $_GET values > Reply-To: php...@li... > > note if you're doing this (good idea, btw), I should finish the > openevent cleanup to just be a url instead of the form stuff. Let me > know before hand, I need a day or so to finish that. > > Jim Hu wrote: >> As part of an overall security sweep on my server, I'm thinking of >> modifying my copy of phpicalendar to test the values of all >> user-supplied variables. I think this would involve rewriting >> init.inc.php (that's what always get's executed first, right? I would >> use the general approach described in >> >> http://phpsec.org/projects/guide/1.html#1.1 >> >> where the tested variables from $_REQUEST[$key] get put into an array >> called $clean['$key'], which replaces $_POST, $_GET, or $_REQUEST >> where >> appropriate. This would mean modifying not only init.inc.php, but >> also >> all files that use superglobals directly. >> >> I don't actually think there are currently security exploits for >> phpicalendar, and I'm not sure how anyone would create one, but I've >> been feeling paranoid, and I've been doing this for all my other code. >> Any thoughts? Is there are reason not to do this? It will not be >> compatible with versions of php prior to 4.1.0. >> >> Jim Hu >> >> >> >> ------------------------------------------------------- >> This SF.Net email is sponsored by Oracle Space Sweepstakes >> Want to be the first software developer in space? >> Enter now for the Oracle Space Sweepstakes! >> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click >> _______________________________________________ >> Phpicalendar-devel mailing list >> Php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel >> > > > > --__--__-- > > _______________________________________________ > Phpicalendar-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel > > > End of Phpicalendar-devel Digest |
