RE: PHP filter function against SQL injections

I'll add another "me too".

In my experience, extensive use of client-side security is a terrific
indicator that the server is probably vulnerable.

I'd actually recommend not having the client check anything.

The problem with any security checking at the client is that it provides
absolutely no security and still manages to instill a false feeling that you
are secure.

Dan

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of jeffrey rivero
Sent: Tuesday, February 13, 2007 8:59 AM
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: PHP filter function against SQL injections

I second that its all to often i see this as an major problem
jeff

Henry Troup wrote:
It's a serious mistake to assume that the php page will only ever see
input from its own page. An attacker will not use the form on the page,
but drive attacks directly into the submit URL. Client-side javascript
can be a user convenience; but it can never be part of your security
strategy.

Filtering input for security must be done on the server. On the server
you must treat all input as "evil" until it is proven innocent (passes the
filter).

--
Henry Troup
htroup@xxxxxxx

On Sat Feb 10 10:35 , Nic Stevens sent:

I would suggest, though, using data filtering on the form using
javascript as your first line of defense. If you're accepting a string,
for example, only allow valid characters to be placed in the form
field.
(I don't know the event handler syntax off hand but I know it can be
done)



Relevant Pages

  • [NT] Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Al
    ... Get your security news from a reliable source. ... A security vulnerability exists in the H.323 filter for Microsoft Internet ... Security and Acceleration Server 2000 that could allow an attacker to ... overflow a buffer in the Microsoft Firewall Service in Microsoft Internet ...
    (Securiteam)
  • [NEWS] Multiple Vulnerabilities in BEA WebLogic Server (Un-authenticated File Uploading)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... web server contents, load servlets, etc. ... The process in charge of managing the file upload validates the user ... ConnectionFilter will filter connections based on the request source ...
    (Securiteam)
  • Re: Mailto Question
    ... This has nothing to do with technology, that's a security issue, imagine some website that would send email on your behalf when you're simply surfing... ... The best approach is definitively to use some server-side process; even if you do not have access to emailing technologies on your own server, there are plenty of free solutions existing on the web, which you can post to. ... Pure client-side solution may also be doable, though, at a certain cost; since all your users have outlook, you could probably connect directly to their client, using some Outlook.Application ActiveX object, then build and send some email - this would however require your clients to authorize your script in their security settings. ...
    (comp.lang.javascript)
  • Re: [Full-disclosure] mac trojan in-the-wild
    ... client-side attack in the article: ... Per a report the Microsoft Security Response Center released ... exploit, I called it client-side. ... I don't consider a threat where the user ...
    (Full-Disclosure)
  • RE: mac trojan in-the-wild
    ... client-side attack in the article: ... Per a report the Microsoft Security Response Center released ... exploit, I called it client-side. ... I don't consider a threat where the user ...
    (Bugtraq)