Wednesday, February 16, 2005

Chris Shiflett: More on Filtering Input and Escaping Output

Chris Shiflett: More on Filtering Input and Escaping Output

I found this post quite educational, especially about what items in the various superglobals ($_GET, $_POST, $_SERVER, $_COOKIE, $_SESSION) are tainted. Basically, the gist is that $_GET, $_POST, and $_COOKIE are always provided from the user, and therefore have to be considered tainted. $_SESSION is stored by the server, and shouldn’t be tainted if you did your job right (i.e., you didn’t store any tainted data in the session). $_SERVER, though, is more complex, because some of the values in that array come from the web browser, despite the name of the array. Check the comments for more detail.

Posted by funkatron on 02/16/05 at 08:41 AM – Post a comment

Comments

Post a comment

Commenting is not available in this weblog entry.

← Previous Entry

Next Entry →