Re: PHP filter function against SQL injections
- From: jeffrey rivero <jeffr76@xxxxxxxxx>
- Date: Tue, 13 Feb 2007 09:58:49 -0500
I second that its all to often i see this as an major problem
jeff
Henry Troup wrote:
It's a serious mistake to assume that the php page will only ever see input from its own page. An attacker will not use the form on the page, but drive attacks directly into the submit URL. Client-side javascript can be a user convenience; but it can never be part of your security strategy.
Filtering input for security must be done on the server. On the server you must treat all input as "evil" until it is proven innocent (passes the filter).
--
Henry Troup
htroup@xxxxxxx
On Sat Feb 10 10:35 , Nic Stevens sent:
I would suggest, though, using data filtering on the form using javascript as your first line of defense. If you're accepting a string, for example, only allow valid characters to be placed in the form field. (I don't know the event handler syntax off hand but I know it can be done)
- Follow-Ups:
- RE: PHP filter function against SQL injections
- From: Dan Anderson
- RE: PHP filter function against SQL injections
- References:
- Re: PHP filter function against SQL injections
- From: Henry Troup
- Re: PHP filter function against SQL injections
- Prev by Date: Re: PHP filter function against SQL injections
- Next by Date: Re: One-Time Pad software?
- Previous by thread: Re: PHP filter function against SQL injections
- Next by thread: RE: PHP filter function against SQL injections
- Index(es):
