Re: [nyphp-talk] Injection Attack, any ideas?

Mon, 19 Nov 2007 13:53:01 -0800 

At 1:25 PM -0500 11/12/07, Dan Cech wrote:

tedd wrote:
 > Scrub and clean all user input.


 My understanding -- nothing can get in unless you allow it (barring
 server breaches).

 Here's an example of js injection:

 http://webbytedd.com/bb/insecure-form/

 SQL injection (as I understand it) is simply allowing the user to
 prepare (in part) the SQL query. Scrub and clean user input and prepare
 the query yourself as per what you will allow.


With all due respect, this is bad advice.  The decision to allow or
disallow certain content is a business/application decision, not a
security decision.



Above I said "Scrub and clean all user input" <-- that's not a 
business/application decision but rather one of security.



I don't care what the client says with regard to his business needs, 
I will not knowingly introduce any security breaches. Instead, I will 
try to produce what the client wants rather than what he says he 
wants -- surely he doesn't want a security breach.



If you display content properly *as content* then it does not matter
what it is.  The security problem here is NOT the data, it is the fact
that the data is being displayed *as code*, in this case html code.



Negative. It's not "displaying the content" that's at issue but 
rather allowing foreign code to be injected into a MySQL query. You 
simply clean all user input. You never trust the user to do what's 
right with regard to any aspect of security. You control it all or 
you have no control.



The fact that your example demonstrates the proper approach (using html
escaping to display the user data) rather than 'scrubbing and cleaning'
the input makes this advice even more confusing.


Well, I guess that we are both confusing, because I don't get what you said.


I am simply, but apparently not effectively, saying that you never 
trust outside data regardless. You never allow the user to have 
access to any portion of your code for injection -- period.



My example shows that a user could inject a piece of code and produce 
something that was not in my code. But, perhaps my demo is less than 
optimal in showing that -- sorry.


Cheers,

tedd


--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php























					Reply via email to