This was posted to Slashdot not too long ago, and seems applicable to php-general given the frequent mentions of register_globals and usage of the get and post arrays. It's a detailed explanation of many common ways that software which is overly trusting of its input can be exploited, and underscores the point that input from the open internet is particularly risky.
http://www-106.ibm.com/developerworks/linux/library/l-sp3.html A lot of the article deals specifically with writing applications in a Unix environment, but the general take-home points for PHP programmers boil down to: - In a client/server system, the server should never trust the client. - Ruthlessly check untrusted inputs. --------------------------------------------------------------------- michal migurski- contact info and pgp key: sf/ca http://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
