begin quoting James G. Sack (jim) as of Thu, Aug 23, 2007 at 10:17:44PM -0700: > James G. Sack (jim) wrote: > >..<big snip> > > > => There is no reason to have post data provide anything resembling sql. > > You can always return a token (eg, "SEARCH_BY_FIRST_NAME"), and then > > look up the sql from a hash (or something equivalent) > > SQL isn't the only thing to worry about protecting from spooofing. > > Similar patterns go for external program names or shell commands or even > directory paths that users may be selecting from a option list
Yup. > Such precautions should maybe even apply to internal code parameter > passing, but web form data is the *easiest* thing to spoof. It's so easy, one should *assume* it has been spoofed. With rewriting web proxies, and tools like greasemonkey (ff) and user-javascript (opera), it's going to become more and more likely that it will be. It seems greasemonkey runs before noscript, so you can use greasemonkey to rewrite the web-page and *still* keep javascript disabled by default. -- Client-side validation is one of the evil programming habits of our time. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
