0

I set a php cookie

setcookie('pr','gulfstream',time()...etc...)

My validation page has arrays and statements as below.

$planes = array('gulfstream','Piper','Citation');

$abc = isset($_COOKIE['pr']) && in_array($_COOKIE['pr'],$planes) ? $_COOKIE['pr']:0;

My visitor pages use:

echo $abc;

Question: is the above safe to output to the page or should I further validate the statement with:

$abc = isset($_COOKIE['pr']) && in_array($_COOKIE['pr'],$planes) ? htmlspecialchars($_COOKIE['pr']):0;
Improve this question

2 Answers 2

Reset to default
1

I don't think there's a way to exploit this code in this example.

Anyway I think you have to be aware that it's is to make it exploitable by possibility of type juggling (usually cast to integer 0). That's why I suggest you to use strict mode of in_array like 

in_array($_COOKIE['pr'],$planes, true); //third parameter enforces type checking
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Right, that's good advice. I'll set that. Are you also saying I don't need htmlspecialchars() in the statement?
You don't need it since when it is actually a string-to-string comparison, you know what values will be accepted.
Thanks dragoste, that's a wrap.
1

Even if you've validated the cookie, it's still meant to contain text, and not HTML code. You should always use htmlspecialchars before outputting text in an HTML document.

Improve this answer

3 Comments

#JW Ok, wait, so you are saying I should go ahead and put that in the location I indicated in the original post?
I would keep variables un-encoded, and just encode them when you output them in your HTML. That way you can do other things with the variables, like check their length, without the encoding affecting the results.
Understood, but there are just too many of them in too many pages, I need to do this at this central point on the validation page. That being the case, in my original post, is the location of the htmlspecialchars() correct, in your estimation?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.