On 29 Mar 2008 17:33:40 -0700, in bit.listserv.ibm-main you wrote: >On 29/03/2008, Paul Gilmartin <[EMAIL PROTECTED]> wrote: > >> There's a thread ongoing in MVS-OE on CGI security. The first >> principle is: don't trust data received over the network. The >> second is: don't trust Javascript validation on the client side. >> Always remember that your potential adversary controls the client. > >There's a recent thread on Bruce Schneier's blog on The Security Mindset. >http://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html >Somehow it seems that people either think this way or they don't. That >anyone in 2008 could consider for a moment doing validation of >anything important on the client side is astonishing.
To save hassle to the person at the keyboard, I would validate what I can on the client side and revalidate with paranoia on the server. This is to cut down on the number of transmissions. Clark Morris > >Tony H. > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
