Taint checking forms

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I Perl there's that -t option that's supposed to check input for
anything nasty. I wondered if there's anything link that in PHP? Some
module? Or some tested block of PHP code that will do it? I'd be
grateful for any links to info.
Thanks, Lee G.

Re: Taint checking forms


On 07/18/2004 02:37 PM, leegold2 wrote:
Quoted text here. Click to load it

If you use plain input field validation you will be able to reject any
values that are not acceptable.

You may want to take a look at this class. Besides many of the common
types of validation, it has support for discarding values usually passed
by hidden fields for instance to specify id values of database records
to be edited. This way you do not have to worry with any attack
attempts. Take a look at the examples supplied with the class:



Manuel Lemos

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org /

PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews /

Metastorage - Data object relational mapping layer generator

Re: Taint checking forms

Quoted text here. Click to load it

 Taint mode in Perl doesn't check for anything "nasty" since there's no single
definition of what's "nasty". Taint modelimits your access to data obtained
from outside your program.

 See http://www.perldoc.com/perl5.8.0/pod/perlsec.html

 It's supposed to be -T, not -t, anyway; -t is for debugging, it just generates
warnings rather than the correct fatal errors.

Quoted text here. Click to load it

 There isn't an equivalent, although it's part of the reason register_globals
is deprecated. Using $_GET, $_POST etc., all the user input is segregated from
ordinary variables.

 As far as checking for "nasty" data goes, that depends entirely on context.
Data can only be "nasty" if special characters aren't properly escaped in the
way expected by the process/function/database/whatever you're passing them on

http://www.andyh.co.uk          / http://www.andyhsoftware.co.uk/space

Site Timeline