security bug in PHP-server-1.1
Niels Berkers
niels at quotar.com
Wed Apr 11 10:01:01 PDT 2007
Norman Rasmussen wrote:
> On 4/11/07, Jonathan Daugherty <cygnus at janrain.com> wrote:
>> # why? templates are for output, not for processing... AND as soon as
>> # you get the data in your system you should clean it.
>>
>> Yes, that's true. But you clean it so output is safe, and so that
nope i clean it so my server / databases with personal information from
users are save.
>> passing it through services (i.e., a database) is safe. There's no
>> point in cleaning the data until you use it in a dangerous context;
Yes there is. This is a , what we call in dutch a "drogreden", which
mains something like a false reason. This is like saying well im online,
but i don't use a firewall, virusscanner and adblockers, nor install
security updates/patches. Because hey if i don't handle the content
there is no problem. Really there is not one developer I work with that
would agree to that. And if they would give me that reason, i would have
a very serious chat with them. Incomming data must be checked in the web
form and at first arrival at the server. Neither we're in place in the
PHP-Server-1.1
My advice to you: make it very clear on the download location that this
software is unsave and a potential hazard to your server and database.
>
> Agreed! You never know when someone might find a way to inject unsafe
> data into your database. It's much safer to escape it as you output
> it. (Also you might output it in different places, requiring
> different escaping)
>
Sorry ... can't believe im reading this. Any software security
specialist would disagree.
br,
Niels
More information about the Dev
mailing list