- From: comphelp@xxxxxxxxx (Todd H.)
- Date: 07 Jun 2006 11:48:13 -0500
"dredge" <kcox@xxxxxxxxxx> writes:
I have been asked to build a PHP application that calculates important
financial information based on some user-inputted numbers and that will
not allow the user to continue forward unless a certain percentage
range has been met. To validate the numbers, I am considering using
validation code is running on the client side and does not have to wait
for a refresh, as would be required for the server-side PHP
That would be a huge (albeit common) mistake.
could potentially hack it to allow unacceptable financial numbers to be
submitted. Am I just being too paranoid here?
No, you are paranoid with good cause!
By using a software web proxy (such as paros or spike) or firefox
plugins like tamperdata it is trivially simple to modify form fields
Nothing will get you around the inconvenient necessity of having to
scrub all form field data on the server side and treat it as
malicious. Before you develop this application, I strongly recommend
you read the OWASP guide to open web application security:
Specifically to the issue you're discussing is data validation, which
is #1 on OWASP's top ten security threats to web apps:
Quoting that, "A surprising number of web applications use only
client-side mechanisms to validate input. Client side validation
mechanisms are easily bypassed, leaving the web application without
any protection against malicious parameters."
- From: dredge
- Next by Date: firewall/router question