====== Parameter Manipulation Attack ======

Attempt to manipulate input to application validation and filtering.

Because of PHP's weak typing and automatic type conversion, alternative representations of input parameters can foil validation checks.  Empty('000') is false, but will convert to a 0 (zero) if used in a numeric context.  If this attack is successful, it can lead to the ability to perform other attacks.

===== Exploited Vulnerability =====

  * [[security:function:request_functions|Security sensitive HTTP request functions]]

===== Remedy ====

  * Use white list checking versus black list checking.

===== Additional Information =====

  * See [[security:web_application_security|web application security]] and [[catalog|security attacks catalog]].