Variable Poisoning :: Chapter 6 :: A better solution
Variable Poisoning :: Chapter 6 :: A better solution
- Golden Rule #1: "Filter Input"
- White List over Black List
-
- Blacklist - permit everything that is not explicitly denied
- Whitelist - deny everything that is not explicitly permitted
- Clean Array
-
-
$clean['page'] = 'home.php'; //
Default page
-
switch ($_GET['page']) {
-
case 'news.php':
// fall through
-
case 'about.php':
// fall through
-
case 'contact.php': //
fall through
-
$clean['page'] = $_GET['page'];
-
break; // no default: case for
space
-
}
-
$valid_languages =
array ('en_us',
'en_gb',
'es',
'de', ...
);
-
$lang = get_lang (); // Same as before
-
$clean['lang'] =
in_array ($lang,
$valid_languages) ?
$lang :
'en_us';
-
include '/path/to/' . $clean['lang'] . '/' . $clean['page'];
**code compressed to fit on slide.