Home page logo

basics logo Security Basics mailing list archives

Re: PHP filter function against SQL injections
From: jeffrey rivero <jeffr76 () yahoo com>
Date: Tue, 13 Feb 2007 09:58:49 -0500

I second that its all to often i see this as an major problem

Henry Troup wrote:
It's a serious mistake to assume that the php page will only ever see input from its own page.  An attacker will not 
use the form on the page, but drive attacks directly into the submit URL.  Client-side javascript can be a user convenience; 
but it can never be part of your security strategy.

Filtering input for security must be done on the server.  On the server you must treat all input as "evil" until it is 
proven innocent (passes the filter).

Henry Troup
htroup () acm org

 On Sat Feb 10 10:35 , Nic Stevens  sent:

I would suggest, though, using data filtering on the form using javascript as your first line of defense. If you're accepting a string, for example, only allow valid characters to be placed in the form field. (I don't know the event handler syntax off hand but I know it can be done)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]