FUDforum: comp.lang.php » Sanitizing user input

Home » Imported messages » comp.lang.php » Sanitizing user input

Show: Today's Messages :: Polls :: Message Navigator

Re: Sanitizing user input [message #169849 is a reply to message #169846]

Tue, 28 September 2010 13:14

Web Dreamer
Messages: 13
Registered: September 2010

Karma:

Junior Member

Jerry Stuckle a écrit ce mardi 28 septembre 2010 13:21 dans
<i7sjqg$jo5$1(at)news(dot)eternal-september(dot)org> :

> Or, better yet, don't use a hosting company which has magic_quotes_gpc()
> enabled, and you can forget all about this mess. The whole thing has
> been deprecated and will be removed in PHP 6.0.

Concerning the hosting company, you get the point.
But sometimes we are asked do "develop" a web app to resell to another
company, which uses an already-in-production server and for which they can't
change the server settings without breaking an already-in-production-other-
application on the same server.
By doing so, you ensure that your code is portable.
The following ought also to always be included (with an include_once()
directive):
<?php
ini_set('magic_quotes_runtime', 0);
ini_set('magic_quotes_sybase', 0);
?>

since 'magic_quotes_gpc' can't be changed at runtime, the previous I posted
is still required.

But I agree that for our own personnel server, It's indeed better to chose a
proper hosting company. and that all the previous I have mentioned would be
useless (and will be deprecated in PHP6)

Oh, most important, if you are asked to develop on a server having other PHP
apps, and that you use sessions, it is IMPORTANT tu use:

ini_set('session.name', "SomethingElseThan_PHPSESSID");

before using any "session_start()".
This is because 'PHPSESSID' which is the default is probably used by another
application on the same server, and there is a potential risk of mixing
sessions...
Once the user's browser has a session id for a session name, it will send
the same to the same server even if they are two different applications, and
you can have bad surprises.
Imagine that in the $_SESSION array you store the grant level of a user
(admin, user, etc). Imagine this user has a login for each of the web apps
on the server, with the _same_ session.name but different grant levels,
(user on app1, admin on app2), imagine the array key in $_SESSION has the
same name for storing the grant permissions, if he logs in app1 first then
in app2 after, he becomes admin on both... (depends on your code behind).
Of course, this occurs only if they are on the _same_ server
(https://myserver.org/app1/ and https://myserver.org/app2/ )

Setting "ini_set('session.name', 'SomethingElseThan_PHPSESSID');" for each
of your Web apps is a better guarantee to avoid any of such potential
issues.
But this is out of the current subject, just felt it ought to be mentioned.

--
Web Dreamer

Report message to a moderator

[Message index]

		Sanitizing user input By: MikeB on Fri, 24 September 2010 05:42
		Re: Sanitizing user input By: Helmut Chang on Fri, 24 September 2010 07:59
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:24
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 10:11
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 11:21
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 13:14
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 15:14
		Re: Sanitizing user input By: Michael Fesser on Tue, 28 September 2010 16:24
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:35
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:01
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 10:57
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:47
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:21
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:44
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:32
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:51
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 16:37
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:34
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 07:54
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:02
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 11:01
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:15
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:22
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:47
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:35
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:57
		Re: Sanitizing user input By: alvaro.NOSPAMTHANX on Fri, 24 September 2010 08:15
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:06
		Re: Sanitizing user input By: Michael Fesser on Fri, 24 September 2010 17:12

Previous Topic:	how to write a wsdl for php webservice?
Next Topic:	ANNOUNCE - NHI1 / PLMK / libmsgque - Work-Package-II

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Nov 23 11:17:49 GMT 2024

Total time taken to generate the page: 0.04221 seconds