[CS-FSLUG] PHP vulnerabilities?

Chris Brault gginorio at sbcglobal.net
Fri Jun 2 15:52:50 CDT 2006


> When I first started using user-input scripts, one of the things  I read 
> about was to filter ALL input to avoid anything bad coming in, in a 
> subroutine that deals with every input before it is handled on to the 
> rest of the script.
> The suggestion was instead of filtering things _out_ (things like a 
> backslash), it is safer to filter things allowed in (letters, numbers, 
> underscore, space, hyphen, period, question mark, exclamation point).

This is an excellent approach that I am going to implement. I have 
recently been put in charge of several sites and University Public 
Events at CSU Chico is considering putting me on contract for their 
site. So as you can see, security is important to maintain the integrity 
of the school and myself.

I try to avoid input as much as possible, although I love using 
interactivity (buttons, links, drop down boxes and the like). That said, 
for entering original content there is no substitute for an input box or 
textarea HTML-ified by tinyMCE. I wasn't aware that functions could be 
run in PHP through inputs that are printed to the page.  Imagine my 

So, now that I know that dangers, I've decided to add a better data 
check using a "positive" filter rather than a negative one. If I 
understand this properly, I should only allow characters that can be 
reasonably expected from the input.

A name should only contain alpha characters while an address only 
integers and alpha characters.

Hey, thanks for the information. I'm sure many people in the future will 
  have more secure sites because of it.

Gabe Ginorio

More information about the Christiansource mailing list