Re: how could i make "them" understand that security IS important ?

Well, I wonder... how are the parameters used? Are they passed to the shell or used for SQL queries? Or are the parameters just checked by name to see what they contain, with following actions, and anything leftover not ever used? There is a big difference - although, for total honesty one could argue that this could change later.

Under perl, -T will get you very far with answering these questions too.

I have to repeat what others have said here, you can not trust the client, even if it isn't just a browser, but something closed source and compiled. It is not exactly hard (usually) to capture whatever the client is sending and mimic/"enhance" that yourself. If you aer worried about extra parameters doing any harm, filter server-side! Always! Anything client-side is just cosmetics. :)

This also reminded me about this node by merlyn. Is a good laugh about undoubtedly real security flaws. :)

You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.

Comment on Re: how could i make "them" understand that security IS important ?

Replies are listed 'Best First'.

Re: Re: how could i make "them" understand that security IS important ?
by iza (Monk) on Sep 12, 2002 at 09:08 UTC

they ARE used for sql queries, and some can/could be passed to the shell command (fopen() ... !!!) ... and as i said, i'm conscious it's just cosmetics, but it's better than nothing - filtering server side had been removed some time ago ... (and that's something i had coded. Maybe it's not a security problem, maybe they just remove everything i code ... why did they pay me then ? damn i'm getting totally paranoid now ! ;]])

[reply]


There's more than one way to do things
	PerlMonks