[FX.php List] Why doesn't this parse?
Gjermund Gusland Thorsen
ggt667 at gmail.com
Tue May 20 17:18:39 MDT 2008
What is the security risk in heredoc?
ggt
2008/5/21 Jonathan Schwartz <jschwartz at exit445.com>:
> This sounds like a good alternative to try.
>
> For reference, I started out using string_replace(), with an operation for
> every variable. It worked, but it was slow.
>
> Then, it was suggested to use heredoc, which took me until today to resolve,
> only to find out that it represented a security risk.
>
> I also received a suggestion to try Smarty, which I will still do.
>
> I will try the array method next.
>
> Thx
>
> Jonathan
>
> At 11:18 PM +0200 5/20/08, Erik Andreas Cayré wrote:
>>
>> Content-Type: multipart/signed; boundary=Apple-Mail-1--1064588934;
>> micalg=sha1;
>> protocol="application/pkcs7-signature"
>>
>>
>> Den 20/05/2008 kl. 20.15 skrev Chris Hansen:
>>
>>> (2) what you want to do does have security implications if not managed
>>> properly...
>>
>> I completely agree.
>> You may run into trouble when someone gets curious and starts
>> experimenting with different variable names, just to see what happens...
>>
>> I would suggest using some homegrown mailmerge tags which you define, AND
>> check in the POST'ed data, and do some simple substitution, keeping the
>> variable names in your PHP code completely private...
>>
>> For example (conceptual, has not been tested...):
>>
>> $mergetags = array (
>> '##name##' => '$name';
>> '##address##' => '$address';
>> etc.
>>
>> .
>> .
>> .
>>
>>
>> med venlig hilsen
>> ---
>> Erik Andreas Cayré
>> Spangsbjerg Møllevej 169
>> 6705 Esbjerg Ø
>>
>> Privat Tel: 75150512
>> Mobil: 40161183
>>
>> ---
>> »Ved indlæring er interessen så meget mere effektiv end frygt, som en
>> atomeksplosion er stærkere end en knallert.«
>>
>> --Stanley Kubrick
>>
>> »Kun p....sure mennesker kan ændre verden. Innovation skabes ikke af
>> 'markedsanalyse', men af folk, der er afsindigt irriterede over tingenes
>> tilstand «
>> --Tom Peters
>>
>> »Hvis du ikke kan forklare det simpelt, forstår du det ikke godt nok.«
>> -- Albert Einstein
>>
>> »Hvis du ikke har tid til at gøre det rigtigt, hvornår vil du så have tid
>> til at lave det om?«
>> -- John Wooden, basketball coach
>>
>>
>>
>>
>> Attachment converted: MacBook Pro HD:smime 282.p7s ( / ) (00281857)
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
> --
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-381-1852
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
More information about the FX.php_List
mailing list