Te Taipo - 2013-09-10 12:34:47 -
In reply to message 1 from marioThey are. Unfortunately _POST filtering is very expensive especially for websites that parse huge amounts of data via _POST.
Its a difficult one, almost all strings are valid via _POST vars, imagine your site is a PHP discussion site, all sorts of code will be posted to the database even examples of attack code.
The real security via _POST is correct database input preparation and coding practices rather than depending on the ambulance at the bottom of the cliff approach.
So I have only included a few examples in the blacklist of items that should not be found in 99% of _POST data, eval( strings, script alerts etc, some base64_encoded strings.
For example if a _POST var had eval(base64_encode in it, the security class will call a ban of the page load.
The array_flatten function used in there is rather basic as well, and needs improvement to recursively iterate across the more 'sophisticated' arrays.
Hope that helps.
