[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savane-dev] Re: [Savannah-hackers] Security library development sta
|
From: |
Lorenzo Hernandez Garcia-Hierro |
|
Subject: |
Re: [Savane-dev] Re: [Savannah-hackers] Security library development started ; -) |
|
Date: |
Fri, 9 Apr 2004 20:23:55 +0200 |
Hi,
> This is very good news, this thing *had* to be done, thanks for doing
> that grunt work ! :).
Good enough to discard the idea of migrating from Savane to GForge ?
:)
> Now if PHP had something like input tainting... I'm not a PHP wizard,
but
> is there some systematic way of looking for potential SQL injections or
> cross-site scripting issues ?
Input tainting can be a simple use of a function called ereg / eregi .
Just filtering values or characters inside a variable by passing it trough
.foreach. and then using
eregi on them with a die funcion or similar ( ex: setting $feedback to a
warning message ).
This is dirty and not elegant , the most elegant solution is using
stripslashes or addslashes .
Mathiu Roy has worked out in thisbefore ( and after 9 i wrote a little
"hack" for Savane code but
after that we removed the hack and i started working hard with my branch.
Cheers !
--------------------------------------
Lorenzo Hernandez Garcia-Hierro
<-><->-<-><-><-><-><-><-><-><->
PGP: Keyfingerprint:
4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
http://www.tuxedo-es.org
______________________________________