Nolongerused3921 Posted January 26, 2007 Share Posted January 26, 2007 I'm currently working on a template engine, and I need to know what needs to be escape before a string is considered safe for eval... Right now I'm placing anything that will be executed into a print, in quotes... And before that, I use addslashes()... And [b]just[/b] in case, I remove any ;'s when a variable is added into the variable array...Is this enough? Or do I need more. The variables the templates will have access to may contain user editable content.All this aside, I'm not sure if I even need sanitation, as I'm just reading a template, replacing any {$variable}'s with $template->vars[variable]... Could this be at all exploited? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.