It's not that bad.
Use filter functions and sanity checks for input.
Use htmlspecialchars() basically on output.
That should take care of basically everything.
On Jun 7, 2010, at 6:16 AM, Igor Escobar <titiolin...@gmail.com> wrote:
This was my fear.
Systems Analyst & Interface Designer
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind <peter.e.l...@gmail.com>
On 7 June 2010 14:54, Igor Escobar <titiolin...@gmail.com> wrote:
The portal for which I work is suffering constant attacks that I
is PHP Injection. Somehow the hacker is getting to change the
that our system generates. Concatenating the HTML file with
have an iframe to a malicious JAR file. Do you have any
prevent this action? The hacker has no access to our file system,
imputing the code through some security hole. The problem is that
is very big and has lots and lots partners hosted on our estructure
structure. We are failing to identify the focus of this attacks.
Check all user input + upload: make sure that whatever comes from the
user is validated. Then check all output: make sure that everythin
output is escaped properly. Yes, it's an enormous task, but there's
way around it.
WWW: http://plphp.dk / http://plind.dk
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php