Network Security: Detailed info on Re: PHP filter function against SQL injections

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Security-Basics

[Top] [All Lists]

Re: PHP filter function against SQL injections

from [Henry Troup] Network Security

[Permanent Link]

Subject:	Re: PHP filter function against SQL injections
Date:	Mon, 12 Feb 2007 20:18:28 -0500

It's a serious mistake to assume that the php page will only ever see input 
from its own page.  An attacker will not use the form on the page, but drive 
attacks directly into the submit URL.  Client-side javascript can be a user 
convenience; but it can never be part of your security strategy.

Filtering input for security must be done on the server.  On the server you 
must treat all input as "evil" until it is proven innocent (passes the filter).

--
Henry Troup
htroup@acm.org

 On Sat Feb 10 10:35 , Nic Stevens  sent:


I would suggest, though, using data filtering on the form using 
javascript as your first line of defense. If you're accepting a string, 
for example, only allow valid characters to be placed in the form field. 
(I don't know the event handler syntax off hand but I know it can be done)

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: PHP filter function against SQL injections, (continued) Re: PHP filter function against SQL injections, Koen Bossaert Re: PHP filter function against SQL injections, Kellox Re: PHP filter function against SQL injections, jeffrey rivero Re: PHP filter function against SQL injections, Terra Frost Message not available Re: PHP filter function against SQL injections, Terra Frost Re: PHP filter function against SQL injections, Kellox Re: PHP filter function against SQL injections, jeffrey rivero Re: PHP filter function against SQL injections, Nic Stevens FW: PHP filter function against SQL injections, kevin fielder Re: PHP filter function against SQL injections, Henry Troup Re: PHP filter function against SQL injections, Henry Troup <= Re: PHP filter function against SQL injections, jeffrey rivero Re: Re: PHP filter function against SQL injections, ianbow

Previous by Date:	SF new column announcement: Mouse-Trapped (by Mark Rasch), Kelly Martin
Next by Date:	Re: PHP filter function against SQL injections, jeffrey rivero
Previous by Thread:	Re: PHP filter function against SQL injections, Henry Troup
Next by Thread:	Re: PHP filter function against SQL injections, jeffrey rivero
Indexes:	[Date] [Thread] [Top] [All Lists]