Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data

[Jasper Bryant-Greene <jasper@xxxxxxxxxxx>]

My point is, can you think of a logical reason why html_entity_decode 
would be run on user input? I'm sure some idiot is doing it (and 
therefore this is a security issue, though not exactly critical), but I 
don't think I can think of a reason why it would be done.

Why would you want to decode HTML entities given by a user? The opposite 
(encode their input into HTML entities) is the usual approach...

Jasper

Slythers Bro wrote:
> <?php
>    $host = "127.0.0.1 <http://127.0.0.1>";
>    $user = "sqluser";
>    $pass = "sqlpass";
>
>  .....
>
>    $foobar=html_entity_decode($_GET['foo']);
>    echo $foobar;
>
> ?>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/