Network Security: Detailed info on Re: PHP filter function against SQL injections

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Security-Basics

[Top] [All Lists]

Re: PHP filter function against SQL injections

from [jeffrey rivero] Network Security

[Permanent Link]

Subject:	Re: PHP filter function against SQL injections
Date:	Tue, 13 Feb 2007 09:58:49 -0500

I second that its all to often i see this as an major problem
jeff

Henry Troup wrote:

It's a serious mistake to assume that the php page will only ever see input 
from its own page.  An attacker will not use the form on the page, but drive 
attacks directly into the submit URL.  Client-side javascript can be a user 
convenience; but it can never be part of your security strategy.
Filtering input for security must be done on the server.  On the server you must treat 
all input as "evil" until it is proven innocent (passes the filter).
--
Henry Troup
htroup@acm.org
 On Sat Feb 10 10:35 , Nic Stevens  sent:
I would suggest, though, using data filtering on the form using javascript as your first line of defense. If you're accepting a string, for example, only allow valid characters to be placed in the form field. (I don't know the event handler syntax off hand but I know it can be done)

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: PHP filter function against SQL injections, (continued) Re: PHP filter function against SQL injections, Kellox Re: PHP filter function against SQL injections, jeffrey rivero Re: PHP filter function against SQL injections, Terra Frost Message not available Re: PHP filter function against SQL injections, Terra Frost Re: PHP filter function against SQL injections, Kellox Re: PHP filter function against SQL injections, jeffrey rivero Re: PHP filter function against SQL injections, Nic Stevens FW: PHP filter function against SQL injections, kevin fielder Re: PHP filter function against SQL injections, Henry Troup Re: PHP filter function against SQL injections, Henry Troup Re: PHP filter function against SQL injections, jeffrey rivero <= Re: Re: PHP filter function against SQL injections, ianbow

Previous by Date:	Re: PHP filter function against SQL injections, Henry Troup
Next by Date:	Re: One-Time Pad software?, FocusHacks
Previous by Thread:	Re: PHP filter function against SQL injections, Henry Troup
Next by Thread:	Re: Re: PHP filter function against SQL injections, ianbow
Indexes:	[Date] [Thread] [Top] [All Lists]