Question

I set a php cookie

setcookie('pr','gulfstream',time()...etc...)

My validation page has arrays and statements as below.

$planes = array('gulfstream','Piper','Citation');

$abc = isset($_COOKIE['pr']) && in_array($_COOKIE['pr'],$planes) ? $_COOKIE['pr']:0;

My visitor pages use:

echo $abc;

Question: is the above safe to output to the page or should I further validate the statement with:

$abc = isset($_COOKIE['pr']) && in_array($_COOKIE['pr'],$planes) ? htmlspecialchars($_COOKIE['pr']):0; 
Était-ce utile?

La solution

I don't think there's a way to exploit this code in this example.

Anyway I think you have to be aware that it's is to make it exploitable by possibility of type juggling (usually cast to integer 0). That's why I suggest you to use strict mode of in_array like

in_array($_COOKIE['pr'],$planes, true); //third parameter enforces type checking

Autres conseils

Even if you've validated the cookie, it's still meant to contain text, and not HTML code. You should always use htmlspecialchars before outputting text in an HTML document.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top