var_export/print_r

Ilia Alshanetsky posted this a few hours ago on his blog:

Security Implications of var_export/print_r

It basically talks about how allowing user supplied (POST, GET or even COOKIE really) posts to be saved to strings via var_export and print_r can be hazardous to one’s server’s health.

I hadn’t thought about this in a long time. I ran into this when I used smarty for the first time. I had inadvertantely passed a rather large object with quite a few references to other objects to the template, so when I tried to enable smarty’s debug feature, it choked on me cause I went passed my memory limit. (I think it was still at the default at that time: 8MB)

I think this post, yet again, shows how important it is that user supplied data gets filtered. I just read an article Ben Ramsey wrote for PHP|Architect’s latest issue regarding input filtering. It’s actually the first part of an ‘n’ part series so it didn’t really get into alot of the meat. However he makes some really good points about why input filtering is needed and gave an overview of a couple principles to use when filtering input. If I recall right, Chris Shiflett also has a small bit on input filtering in that issue too. So i would recommend picking it up if you have some spare change.

Leave a Reply

Your email address will not be published. Required fields are marked *