[FX.php List] Why doesn't this parse?

Erik Andreas Cayré erik at cayre.dk
Wed May 21 08:51:03 MDT 2008


Den 21/05/2008 kl. 16.24 skrev Chris Hansen:

> I don't know about Erik

Processing PHP code submitted by the user can be a huge security risk.
Ofc you can validate the input, but in this case it isn't necessary to  
achieve the intended goal.

Btw. I have no idea what heredoc is...

> , but I was referring to the practice of allowing users free reign  
> to determine what your page outputs using the eval() function, and  
> has nothing to do with heredoc specifically.  (For example, a user  
> could experiment with variables and perhaps come up with the ones  
> containing FileMaker security credentials...)  Erik's method is  
> safer since it doesn't simply allow a user to output ANY variable  
> that may available on the page.  Erik, correct me if I'm wrong here.

Right. In my suggestion, you only expose a finite number of merge  
tags, which allows the user the necessary flexibility in building the  
mailmerge recipe.
Validating user input is easy with in_array() or array_key_exists().

In addition, you have the freedom of renaming your variables (if ever  
necessary), without needing to talk to the customers since they will  
only use merge tags.

> --Chris
>
> On May 20, 2008, at 5:54 PM, Jonathan Schwartz wrote:
>> I defer to Chris and Erik.
>>
>> Jonathan
>>
>> At 1:18 AM +0200 5/21/08, Gjermund Gusland Thorsen wrote:
>>> What is the security risk in heredoc?
>>>
>>> ggt


---
Erik Andreas Cayré
Spangsbjerg Møllevej 169
DK-6705 Esbjerg Ø

Home Tel: +45 75150512
Mobile: +45 40161183

»Interest can produce learning on a scale compared to fear as a  
nuclear explosion to a firecracker.«
--Stanley Kubrick

»If you can't explain it simply, you don't understand it well enough.«
-- Albert Einstein

»If you don't have time to do it right, when will you have time to do  
it over?«
-- John Wooden, basketball coach



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1924 bytes
Desc: not available
Url : http://www.iviking.org/pipermail/fx.php_list/attachments/20080521/3017e332/smime.bin


More information about the FX.php_List mailing list