9 Jan
2006
9 Jan
'06
10:22 a.m.
On Mon, 09 Jan 2006 08:30:15 +0100, Thomas Bruederli roundcube@gmail.com wrote:
Sjon wrote:
- validate a action by looking up the existence of
'/program/steps/$_task/$_action.inc'
I don't like direct access to script files from URL parameters without any checks. This is one of the most popular security issues on many web applications.
I never said without any checks ;) What I use most of the time is something like this:
if (!preg_match('~^[a-zA-Z_-]*$~', $_action)) die('invalid action');
That way, it's secure and flexible.
Regards, Sjon