| Subject: | I'm concerned about security in some... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 3 |
|---|
| Author: | Artur Graniszewski |
|---|
| Date: | 2010-08-24 12:30:57 |
|---|
| Update: | 2010-08-25 12:16:38 |
|---|
| |
|
|
Artur Graniszewski rated this package as follows:
| Utility: | Insufficient |
|---|
| Consistency: | Sufficient |
|---|
| Examples: | Sufficient |
|---|
|
|
 Artur Graniszewski - 2010-08-24 12:30:57 I'm concerned about security in some parts of the code:
1) mysql_real_escape() in sanitize() method should use connection handler as the second argument (in case of 2 or more simultaneous connections with different characterset encodings).
2) mysql_* functions should not be used before mysql_connect(), otherwise there will be an error. What's more, not every script needs database connection at all to do its job, and in that case - the class will always show mysql errors.
3) the script is written for PHP 5.0+ but not for PHP 5.3? eregi function is deprecated in PHP 5.3 and in some server configurations will show E_DEPRECATED warnings on the user page.
4) sanitize function should check arrays recursively (for example $_POST params can be nested) - currently it isn't - this is potentially dangerous and can lead to code injections.
5) in case of PHP 5.2 you should check filter_var function which is written in pure C and because of that is faster than preg_match (in for example email, URL or IP validation)
Note that I did not checked your entire code, but those are my first thoughts seeing some parts of the class.
 Hugo Mastromauro da Silva - 2010-08-25 11:01:45 - In reply to message 1 from Artur GraniszewskiHi Artur,
Thanks for the comment, I'll work harder in class to improve it, was very helpful comments.
Hugo Mastromauro da Silva - 2010-08-25 12:16:38 - In reply to message 1 from Artur GraniszewskiHello Artur,
Realized some changes based on your comments and found it interesting, I hope that now the class is usable.
Thanks
|
