问题描述:

Is using a foreach safe to do or does this open up for more security leaks?

<?php

foreach ($_POST as $key=>$value){

$_POST[$key] = htmlspecialchars($_POST[$key]);

}

?>

<form method="POST" action="">

<input type="text" name="test" value="<?=isset($_POST['test'])?$_POST['test']:''?>"/>

<input type="submit" />

</form>

VS.

<?php

$_POST['test'] = htmlspecialchars($_POST['test']);

?>

<form method="POST" action="">

<input type="text" name="test" value="<?=isset($_POST['test'])?$_POST['test']:''?>"/>

<input type="submit" />

</form>

网友答案:

If the user tries to inject an array then htmlentities will generate a notice, you should check for a string before calling it, else:

Notice: Array to string conversion 

I have been using Acunetix(http://www.acunetix.com/), if you can afford it, it showed me flaws in my code

相关阅读:
Top