--- Phillip Jackson <[EMAIL PROTECTED]> wrote: > i have developed my own "register globals" function that mimics > the action of register globals, but only for $_POST... i do this > to ensure that all incoming communication is escaped for use in > scripts to account for, and to avoid, SQL injection.
So, are you not worried about all of the other types of attacks? Personally, I think this is a bad approach, regardless of how well it is implemented. I think you will give yourself a false sense of security. In addition, I think it is impossible to create secure data filtering rules that can possibly apply to all types of data. It is much better to take the time to create a validation algorithm for each distinct type of data that you expect and to use a "whitelist" approach in your logic. If you don't care what I think and want to take this approach anyway, you might find this useful: http://linux.duke.edu/projects/mini/htmlfilter/ Remember that there are two potential victims when poor data filtering is applied: you and your users. Don't forget to protect one while worrying about the other. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
