NYCPHP Meetup

NYPHP.org

[nycphp-talk] Input whitelist validation warning

csnyder chsnyder at gmail.com
Fri May 18 16:19:32 EDT 2007


On 5/17/07, Cliff Hirsch <cliff at pinestream.com> wrote:
>
>  I just discovered a hole in a white list validation technique I bored from
> a PHP security book — no, not Chris' book.
>
>  Beware in_array($_POST/GET['input'], $whitelist)
>
>  Type matters. All input is string type and PHP will try to force type
> matching.
>
>  So the input string 'securityhole' will match the int number 0.
>

Hmmm, but it might as well be our book, because I don't immediately
see the problem...

$whitelist = array( 'foo', 'bar', 'baz' );
if ( !in_array( $_POST['input'], $whitelist ) ) {
  exit( "Denied, you cad!" );
}

What is the condition under which that is exploited?

-- 
Chris Snyder
http://chxo.com/


More information about the talk mailing list