Security Basics mailing list archives
Re: PHP filter function against SQL injections
From: Henry Troup <htroup () acm org>
Date: Mon, 12 Feb 2007 20:18:28 -0500
It's a serious mistake to assume that the php page will only ever see input from its own page. An attacker will not use the form on the page, but drive attacks directly into the submit URL. Client-side javascript can be a user convenience; but it can never be part of your security strategy. Filtering input for security must be done on the server. On the server you must treat all input as "evil" until it is proven innocent (passes the filter). -- Henry Troup htroup () acm org On Sat Feb 10 10:35 , Nic Stevens sent:
I would suggest, though, using data filtering on the form using javascript as your first line of defense. If you're accepting a string, for example, only allow valid characters to be placed in the form field. (I don't know the event handler syntax off hand but I know it can be done)
Current thread:
- Re: PHP filter function against SQL injections, (continued)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)
- RE: PHP filter function against SQL injections Dan Anderson (Feb 19)