Re: Auditing Code (security wise)

Posted by Vaughan on 1198248524
I came across this thread at x.o and a very valid question by catz.

Quote:


While developing a module for version 2.18 I have come across a loading of coding that to be quite frank, is not required or is totally overboard. One such class is xoopsFormRadio and the new method of securing this class.

While the first fact is that it no longer works,

Example you have to change:

Quote:

if ( $value === $ele_value ) {


To:

Quote:
if ( $value == $ele_value ) {


As under the newer method it will never truly equal.

But my main problem with the changes is that you are not treating the variables in the correct manner, or I am really failing to see what real benefits are from the changes made.

Example:

$ret .= "<input type='radio' name='".$ele_name."' value='".htmlspecialchars($value, ENT_QUOTES)."'";


$value is and should be treated like an INT. Here we are treating that variable in the same manner as we would treat a text value.

In this case it should have been:

$ret .= "<input type='radio' name='".$ele_name."' value='".intVar($value)."'";


Actually with the case in mention, it would have been better to treat these values as boolean instead.


i share the same opinion of catz in that integer values should only be treated as integer values. and htmlspecialchars is not correct usage there.

i think personally if integer values have to be treated as string variables then there is a more underlying issue with sanitation.

This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=618&post_id=6661