funkatron.com

Chris Shiflett: More on Filtering Input and Escaping Output

I found this post quite educational, especially about what items in the various superglobals ($_GET, $_POST, $_SERVER, $_COOKIE, $_SESSION) are tainted. Basically, the gist is that $_GET, $_POST, and $_COOKIE are always provided from the user, and therefore have to be considered tainted. $_SESSION is stored by the server, and shouldn’t be tainted if you did your job right (i.e., you didn’t store any tainted data in the session). $_SERVER, though, is more complex, because some of the values in that array come from the web browser, despite the name of the array. Check the comments for more detail.

I’m at OSCON this week. If you are too, or are just in Portland and wanna hang, drop me a line.

Simon Willison: Zend PHP 5 Goodies

Simon Willison drops some info on new PHP5 tutorials from Zend.com. I’m anxious to start testing these out on the brand spanking new PHP5 install I did at work on Friday.

Bitflux Blog :: PHP 5 Release Candidate 1 Released

Yay yay yay yay yay. I will be installing this soon on one of our project servers and trying to get coWiki up and running for our Secret Project.

It always seemed like a bad idea to do some kind of server or client detection by checking for a short string anywhere in the fingerprint. This is a good example of why.