|
|
|
|
|
|
by jasonlotito
5577 days ago
|
|
|
8 years and you didn't know this? I assume it's the part where it turns [] passed vars into arrays. Even still, this is only a problem is you are blindly passing around user input without any verification. The same thing is just as easily accomplished in numerous other languages. Honestly, I'm trying to figure out how someone could sanitize their input and still be affected by this. |
|
|
I don't think you could, unless you tried to write your own sanitizing functions from scratch and somehow screwed it up. In PHP, htmlspecialchars(), mysql_real_escape_string() and addslashes() all do fine sanitizing array input -- either throwing an exception or returning the string "Array".