Re: [PHPLIB] Security Issues From: Narinda Reeders (narindar <email protected>)
Date: 11/18/99

Kristian,

Not knowing much about potential security risks, I am curious to know what kind
of validation functions you would recommend for things such as free text
fields. It is easy enough to ensure that a number is a number and a URL is a
URL etc.. But how do I validate a field used for descriptive text.

Do you have any standard functions that you always use?

cheers

Narinda.

Kristian Koehntopp wrote:

> On Thu, Nov 18, 1999 at 06:59:04PM +0100, Björn Schotte wrote:
> > > > $sess->reimport_post_vars();
> > > Reimporting variables is a bad idea just for the security reasons
> >
> > But: if I don't call reimport_post_vars(), the entries the user
> > entered in the FORM are empty ... so I browsed the manual and
> > found this function. Was that wrong?
>
> You made form variables persistent. This can only happen if you do no
> validation on variable import, which is generally a no-no.
>
> Normally you have a variable $x, which is made persistent and is "clean" and
> you have a variable $f_x (form x), which is being imported from the outside
> and is unvalidated. You never work with $f_x.
>
> If $f_submit is being set, you copy $f_x to $x if validate_x($f_x) returns
> true.
>
> page_open(...);
> $sess->register("x");
>
> if ($f_submit) {
> /* we are in a submit situation */
> if (validate_x($f_x))
> $x = $f_x;
> }
>
> page_close(); /* save $x */
>
> No reimport needed, ever.
>
> Kristian
>
> -
> PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
> To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
> the body, not the subject, of your message.

-
PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
the body, not the subject, of your message.