On Tuesday 07 August 2007, Dan wrote:
> I know how you can use cross site scripting if you can steal cookies and do
> bad stuff with JS. My question now though is if I have a form, and I post
> to myself and just echo the value of that post, is that bad? Nobody else
> would see the result of my p
On Tue, August 7, 2007 9:55 pm, Daniel Brown wrote:
> On 8/7/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
>> On Tue, August 7, 2007 5:08 pm, Daniel Brown wrote:
>> > It's actually not so much for echo'ing as it is for processing
>> the
>> > data in another manner that makes it dangerous not to
Daniel Brown wrote:
On 8/7/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Tue, August 7, 2007 5:08 pm, Daniel Brown wrote:
It's actually not so much for echo'ing as it is for processing the
data in another manner that makes it dangerous not to do some
sanitizing and checking such as data
On 8/7/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
> On Tue, August 7, 2007 5:08 pm, Daniel Brown wrote:
> > It's actually not so much for echo'ing as it is for processing the
> > data in another manner that makes it dangerous not to do some
> > sanitizing and checking such as database man
just an fyi for the list. filtering input and escaping output are topics on
the
zend certification exam.
-nathan
On 8/7/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
>
> Are you the only user?
>
> Is it authenticating you to keep all other users out?
>
> If some random 'net user can send POST dat
Are you the only user?
Is it authenticating you to keep all other users out?
If some random 'net user can send POST data, and you just blindly spit
it out, with no filtering and no escaping, then, yes, that is
insecure.
There are all manner of nasty things that can be done to this setup by
other
Well, there's Chris Shifflett's book on PHP Security, which is
probably linked somewhere from that site, as he's the lead developer
on that site as well...
I'm not sure I'd go so far as to call it a Bible for PHP Security,
though, as there are simply too many disparate related technologies
with th
I know how you can use cross site scripting if you can steal cookies and do
bad stuff with JS. My question now though is if I have a form, and I post
to myself and just echo the value of that post, is that bad? Nobody else
would see the result of my post so no malicous JS could ever do anythin
On Tue, August 7, 2007 5:08 pm, Daniel Brown wrote:
> It's actually not so much for echo'ing as it is for processing the
> data in another manner that makes it dangerous not to do some
> sanitizing and checking such as database manipulation.
This is wrong.
Google for "cross site scripting
Thanks for the info Richard. I'll check out that website. Do they
recommend any literature about PHP security, or is there a "bible"(one book
that everyone recomends, in EE it's
http://www.amazon.com/Elements-Analysis-Electrical-Electronic-Engineering/dp/0070612854)
for PHP security like there us
On Tue, August 7, 2007 4:57 pm, Dan wrote:
> I've always heard it is bad if you let a user type some input, then
> show it
> back to them w/o sanatizing the code. Eg. I have a form, where the
> user
> types something, they hit submit and it submits to itself then prints
> back
> to the user someth
I'm just forwarding this as a courtesy to the list, because
Anthony accidentally just sent it to me, as opposed to "Reply-All'ing"
the list.
If you want more information on this subject you should search Google
for "Cross Site Scripting" and "XSS".
Of particular interest is this site: http://h
Thanks Stut and Daniel,
I guess my fears were somewhat unfounded. At least in the case where
you're the only one who sees the result.
- Dan
""Daniel Brown"" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
On 8/7/07, Dan <[EMAIL PROTECTED]> wrote:
I've always heard it is bad if
On 8/7/07, Dan <[EMAIL PROTECTED]> wrote:
> I've always heard it is bad if you let a user type some input, then show it
> back to them w/o sanatizing the code. Eg. I have a form, where the user
> types something, they hit submit and it submits to itself then prints back
> to the user something lik
Dan wrote:
I've always heard it is bad if you let a user type some input, then show
it back to them w/o sanatizing the code. Eg. I have a form, where the
user types something, they hit submit and it submits to itself then
prints back to the user something like, account created with password:
I've always heard it is bad if you let a user type some input, then show it
back to them w/o sanatizing the code. Eg. I have a form, where the user
types something, they hit submit and it submits to itself then prints back
to the user something like, account created with password: whatever they
16 matches
Mail list logo
