Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Critical PHP bug - act ASAP if you are running web with sensitive data

From: Jasper Bryant-Greene <jasper () album co nz>
Date: Wed, 29 Mar 2006 17:41:13 +1200
My point is, can you think of a logical reason why html_entity_decode would be run on user input? I'm sure some idiot is doing it (and therefore this is a security issue, though not exactly critical), but I don't think I can think of a reason why it would be done.
Why would you want to decode HTML entities given by a user? The opposite (encode their input into HTML entities) is the usual approach... 

Jasper

Slythers Bro wrote:



<?php
   $host = "127.0.0.1 <http://127.0.0.1>";
   $user = "sqluser";
   $pass = "sqlpass";

 .....

   $foobar=html_entity_decode($_GET['foo']);
   echo $foobar;

?>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: