Well, in the past I didn't use vb's gpc cleaning solutions. But I'm now to a point that I'll start implenting them. Anyone got hints? Tricks? Or got some note's about it?

GPC is used to make sure that the only $_ inputs that are taken into account are the ones allowed by you (well, the coder).

Basically it works by taking the contents of $_POST and $_GET and looking at the list of variables to clean as set by you using gpc_clean_array.

So for example if you did
hello.php?alpha=foo&beta=bar&charlie=0

Then $_GET would contain alpha,beta,charlie. If you only specified alpha and beta to be cleaned then charlie would still be in the $_GET array (I think) but not in the GPC array. This is so that people can't inject extra variables into the $_GET or $_POST arrays.
Because they still exist in the $_GET array you should use GPC to make sure the script only sees what it's supposed to see.


As a special bonus variable types are set before going into GPC. So if you passed ?alpha=foo and it expected alpha as an INT or UINT, then it would return 0 thus possibly saving an error if you tried to insert a string into an int slot in sql, for example. Similarly if it expected a UINT (unsigned (non negative) int) and you passed -10 then it would reject it. I think it sets it to 0.


You probably ought to use GPC instead of referring to the $_ arrays directly. While not a major risk you never know who might take a shine to trying to inject stuff into the script.

__________________
"When you do something right, people won't be sure you've done anything at all" - "God", Futurama

My vB hacks: Site Backup (easily backup your forum files) -- Image Status Checker / Dead Image Finder - 3.5/3.6 -- Stop people mass deleting / editing their posts plugin - 3.6 -- v3arcade reduce scores to keep arcade competitive -- Make guests give a name when posting or replying - 3.0

Thanks for the big reply! A really really good text. Learned alot from it.