[nycphp-talk] Input whitelist validation warning
Cliff Hirsch
cliff at pinestream.com
Fri May 18 16:55:58 EDT 2007
On 5/18/07 4:46 PM, "csnyder" <chsnyder at gmail.com> wrote:
> On 5/18/07, Cliff Hirsch <cliff at pinestream.com> wrote:
>
>> REFUND!!! The book goes back!
>
> Damn, no points for honesty in this town.
>
>
>> Here's the condition that caught me:
>>
>> $whitelist = (0,1);
>>
>> in_array($_POST['input'], $whitelist);
>
>
> Oh yeah, that'll get ya. Same as if ( $_POST['input'] == TRUE )...
> lots of funny stories about that one.
>
> I guess the rule of thumb is that you should always be validating
> against strings, since that's what you get in the request. Then if you
> specifically need the value to be bool, int, or float, cast it as such
> post-validation.
>
> Thanks for illustrating!
Best regards,
Cliff Hirsch, President
______________________________
Pinestream Communications, Inc.
Publisher of Semiconductor Times & Telecom Trends
52 Pine Street, Weston, MA 02493 USA
Tel: 781.647.8800, Fax: 781.647.8825
http://www.pinestream.com
More information about the talk
mailing list