Coeseneoupe
New Member
In the CodeIgniter PHP framework, there is a function that automatically runs on each request that, among other things, filters the GET/POST/COOKIE array keys, and kills the application if it encounters characters it deems unsafe.\[quote\] To prevent malicious users from trying to exploit keys we make sure that keys are only named with alpha-numeric text and a few other items.\[/quote\]Something like:\[code\]// foreach GET/POST/COOKIE keys as $str...if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str)){ exit('Disallowed Key Characters.');}\[/code\]For example, this will trigger if you accidentally post something like \[code\]<input name="TE$T">\[/code\] or have a query string like \[code\]?name|first=1\[/code\].I can see this being a good way to enforce common sense key names, or catch mistakes while developing an application, but I don't understand: How can a malicious user possibly "exploit keys" in \[code\]$_POST\[/code\] data for instance? Especially since (I would assume) input values are just as exploitable, what is this actually preventing?