1
Catzwolf
How does using htmlspecialchars on an INT make it more secure?
  • 2007/12/18 6:40

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


While developing a module for version 2.18 I have come across a loading of coding that to be quite frank, is not required or is totally overboard. One such class is xoopsFormRadio and the new method of securing this class.

While the first fact is that it no longer works,

Example you have to change:

Quote:
if ( $value === $ele_value ) {


To:

Quote:
if ( $value == $ele_value ) {


As under the newer method it will never truly equal.

But my main problem with the changes is that you are not treating the variables in the correct manner, or I am really failing to see what real benefits are from the changes made.

Example:

$ret .= ".$ele_name."' value='".htmlspecialchars($valueENT_QUOTES)."'";


$value is and should be treated like an INT. Here we are treating that variable in the same manner as we would treat a text value.

In this case it should have been:

$ret .= ".$ele_name."' value='".intVar($value)."'";


Actually with the case in mention, it would have been better to treat these values as boolean instead.

2
hervet
Re: How does using htmlspecialchars on an INT make it more secure?
  • 2007/12/18 9:11

  • hervet

  • Friend of XOOPS

  • Posts: 2267

  • Since: 2003/11/4


Hello John,

I have some scripts where the value "returned" by the option is not an integer but a string.
I believe that's the reason of this no ?

Finally, I also believe that when a value is returned from a form's field and when this value is surrounded by quotes, it is considered (and converted) as a string by Php (it may depends of your Php version).

Bye,
Hervé

Login

Who's Online

571 user(s) are online (296 user(s) are browsing Support Forums)


Members: 0


Guests: 571


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits