Wednesday, February 16, 2005

Chris Shiflett: More on Filtering Input and Escaping Output

Chris Shiflett: More on Filtering Input and Escaping Output

I found this post quite educational, especially about what items in the various superglobals ($_GET, $_POST, $_SERVER, $_COOKIE, $_SESSION) are tainted. Basically, the gist is that $_GET, $_POST, and $_COOKIE are always provided from the user, and therefore have to be considered tainted. $_SESSION is stored by the server, and shouldn’t be tainted if you did your job right (i.e., you didn’t store any tainted data in the session). $_SERVER, though, is more complex, because some of the values in that array come from the web browser, despite the name of the array. Check the comments for more detail.

Posted by funkatron on 02/16/05 at 08:41 AM – Post a comment

Comments

Post a comment

Name:

Email (not displayed):

Location:

URL (not displayed):

Smileys

Note: comments by non-members are moderated. Markdown formatting supported

Remember my personal information

Notify me of follow-up comments?

What is 5 + 1?

← Previous Entry

Next Entry →