You are here: RE: [PHP] security/sql issues with php « PHP « IT news, forums, messages
RE: [PHP] security/sql issues with php

Posted by "bruce" on 09/22/05 03:45

i agree with what you're saying...

my primary concern was to make sure that there wasn't/isn't something going
on that i haven't seen... up to know, i'm ok with what you're saying.

however, i still don't have a good answer to my question regarding how easy
(or hard) it is to detect if a query that should have originated with your
app's form is coming from a 3rd party/external site?

am i missing something here?

-bruce



-----Original Message-----
From: Chris Shiflett [mailto:shiflett@php.net]
Sent: Wednesday, September 21, 2005 5:27 PM
To: bedouglas@earthlink.net
Cc: 'Robert Cummings'; 'Mikey'; 'PHP Mailing Lists'
Subject: Re: [PHP] security/sql issues with php


bruce wrote:
> but in all honesty, if you're going to write an app, and you're going
> to do something with the data, it makes sense to me that you
> 'know'/ensure that you're dealing with the correct kind of data. as i
> see it, this allows you another way (low entropy) to determine that
> the information you're getting is correct/valid.

Sure, but it's easy to make a mistake. Previously, you made this statement:

> the app could do something like $_GET['username'] =
> reg_check($_GET['username'])

Even if reg_check() does a perfect job of filtering the data (I'm
guessing it returns FALSE if the data is invalid), this practice
heightens the risk of making an error, becuse you can have code like this:

echo $_GET['username'];

Is that a XSS vulnerability? Any security-conscious developer should
scream at such code, so by placing filtered data back into an array that
contains only tainted data deteriorates a developer's suspicion of any
data within $_GET, $_POST, etc.

In other words, I think the sheer volume of XSS vulnerabilities out
there demonstrates that it's far too easy to mistakenly trust and use
tainted data.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация