문제
I set a php cookie
https://stackoverflow.com/questions/22746205
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russiansetcookie('pr','gulfstream',time()...etc...)
My validation page has arrays and statements as below.
$planes = array('gulfstream','Piper','Citation');
$abc = isset($_COOKIE['pr']) && in_array($_COOKIE['pr'],$planes) ? $_COOKIE['pr']:0;
My visitor pages use:
echo $abc;
Question: is the above safe to output to the page or should I further validate the statement with:
$abc = isset($_COOKIE['pr']) && in_array($_COOKIE['pr'],$planes) ? htmlspecialchars($_COOKIE['pr']):0;
해결책
I don't think there's a way to exploit this code in this example.
Anyway I think you have to be aware that it's is to make it exploitable by possibility of type juggling (usually cast to integer 0).
That's why I suggest you to use strict mode of in_array like
in_array($_COOKIE['pr'],$planes, true); //third parameter enforces type checking
다른 팁
Even if you've validated the cookie, it's still meant to contain text, and not HTML code. You should always use htmlspecialchars before outputting text in an HTML document.
