|
Posted by Rasmus Lerdorf on 05/28/05 02:32
Chris W. Parker wrote:
> One question. (Because I'm a lame brain when it comes to security as I'm
> not good at imagining how things can be exploited):
>
> Is it bad to give field names the same name as their database
> counterpart? i.e. In a database the first name column might be known as
> 'fname'. Should a form field called 'fname' NOT be created?
As long as you recognize that you need to filter things appropriately it
doesn't really matter. Application-level Web security is not that hard.
There is just 1 rule to remember. Never trust anything that comes from
the user. That includes all GET, POST and Cookie data, which most
people understand. But it also includes the User Agent, the Referer,
and even the Host header. Anything that comes across the wire in the
request can be hacked.
If you have written something and you'd like me to take a quick look for
any obvious exploits, feel free to mail me privately. If your site
requires a login, you can send me a test login if you want so I can dig
a bit deeper, otherwise I will still prod it from the outside. I'm not
going to hack into your server in any way, just prod your web
application a little bit with various web requests. Server-level
security is a completely different kettle of fish which mostly comes
down to keeping up to date with OS-level security updates.
So far about 80% of sites I have looked at have had pretty serious
issues. Like that www.vlaamse-kern.com one where you could trick people
into sending you their usernames and passwords pretty easily.
-Rasmus
[Back to original message]
|