Security issues when cleaning arrays(in PHP)?

Question

Could someone please explain why $_POST= array(); isn't an effective way of resetting your $_POST superglobal?

I thought of this when reading this question .

Being an array, I would imagine all elements of that array, be it $_POST or any other, would be reset when re-initializing it.

Answer 1

You are right, $_POST= array(); is fully resetting $_POST !

The answers in the other post are related to
" how to sanitizing/clean the value(s) of $_POST ".

Answer 2

This line $_POST=array(); does fully reset the $_POST array.

I guess there is a misunderstanding on your side of the referenced question. The goal of that script isn't to empty $_POST but to sanitize the values.

tscully tries to sanitize values in $_POST (because they are user-input) to be able to "safely" use them further when doing DB operations.

That's why he uses mysql_real_escape_string (Escapes special characters in a string for use in a SQL statement).

Answer 3

what's exactly your question?

unset($_POST) is resetting the superglobal effectively erasing any values in it.

cross-site scripting is that wide subject you won't be able to do the filter on your own.

check this XSS cheat sheet here: http://ha.ckers.org/xss.html

+more info on developing anti-XSS measures here: http://hungred.com/web-development/solutions-crosssite-scripting-xss-attack/

Answer 4

As far as I know, that would do it. It should be noted that this only clears out the POST information, not the GET. The question I would have to ask is why?