security bug in PHP-server-1.1
Niels Berkers
niels at quotar.com
Wed Apr 11 11:07:01 PDT 2007
Niels Berkers wrote:
> Jonathan Daugherty wrote:
>> # for those who like to clean incomming content before your server is
>> # hacked. The following code line 216 in common.php
>>
>> This patch will break the server. (Most notably, it will break OpenID
>> authentication.) In particular, it will break whenever an input value
>> is url-encoded differently than it will be by htmlentities().
>>
> at leased it is secure now :-(
>
tested it against livejournal.com and my own testscript ... works fine
as far as i can see.
htmlentities() maybe.. can use addslashes instead... guess that will
take out most of the risk -> sql injections
br,
Niels
More information about the Dev
mailing list