tedd wrote: >> > Any ideas about how I can reproduce this problem would greatly >>> appreciate and any suggestions about how to fix it would be even more >>> greatly appreciated. 8-) >>> >>> Thanks for your attention. >>> >>> >>> -- >>> Best regards, >> > mikesz mailto:[EMAIL PROTECTED] >>> > > Scrub and clean all user input. > > My understanding -- nothing can get in unless you allow it (barring > server breaches). > > Here's an example of js injection: > > http://webbytedd.com/bb/insecure-form/ > > SQL injection (as I understand it) is simply allowing the user to > prepare (in part) the SQL query. Scrub and clean user input and prepare > the query yourself as per what you will allow.
With all due respect, this is bad advice. The decision to allow or disallow certain content is a business/application decision, not a security decision. If you display content properly *as content* then it does not matter what it is. The security problem here is NOT the data, it is the fact that the data is being displayed *as code*, in this case html code. The fact that your example demonstrates the proper approach (using html escaping to display the user data) rather than 'scrubbing and cleaning' the input makes this advice even more confusing. Dan _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
