Comments on: PHP Data Sanitization w/ Filter http://software.unh.edu/2009/06/08/php-data-sanitization-w-filter/ by the U, for the U Wed, 18 Nov 2009 14:02:09 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Software @ UNH » Data Sanitization with jQuery Validation Plugin http://software.unh.edu/2009/06/08/php-data-sanitization-w-filter/comment-page-1/#comment-12 Software @ UNH » Data Sanitization with jQuery Validation Plugin Thu, 18 Jun 2009 19:41:06 +0000 http://software.unh.edu/?p=42#comment-12 [...] disabled or that someone with malicious intent might try to circumvent the validation. Check out Toby’s article on PHP’s filter function for an example of server side data [...] [...] disabled or that someone with malicious intent might try to circumvent the validation. Check out Toby’s article on PHP’s filter function for an example of server side data [...]

]]> By: Ed Sawyer http://software.unh.edu/2009/06/08/php-data-sanitization-w-filter/comment-page-1/#comment-9 Ed Sawyer Thu, 18 Jun 2009 13:12:17 +0000 http://software.unh.edu/?p=42#comment-9 Client-side validation is usually via javascript, which while useful from a functional standpoint, is pretty easily defeated from a security point of view. It's nice PHP has built-in validators for this stuff now. Even if the data is valid however, still often need to check if permissions should allow it. Thinking of url-hacking type attacks here (e.g. passing an integer on the URL, and having the user change it to a different integer for example). On the ColdFusion side of things we see a lot of SQL-injection based attacks via the FORM / POST variable scopes, so parameterizing query variables (like those passed on the URL) is crucial in any language (like PHP or CF). I think at WebSolutions we'll be doing more PHP-based stuff in the future (blogs/content management/etc.) -Ed Client-side validation is usually via javascript, which while useful from a functional standpoint, is pretty easily defeated from a security point of view.

It’s nice PHP has built-in validators for this stuff now. Even if the data is valid however, still often need to check if permissions should allow it. Thinking of url-hacking type attacks here (e.g. passing an integer on the URL, and having the user change it to a different integer for example).

On the ColdFusion side of things we see a lot of SQL-injection based attacks via the FORM / POST variable scopes, so parameterizing query variables (like those passed on the URL) is crucial in any language (like PHP or CF).

I think at WebSolutions we’ll be doing more PHP-based stuff in the future (blogs/content management/etc.)

-Ed

]]> By: Marcus Del Greco http://software.unh.edu/2009/06/08/php-data-sanitization-w-filter/comment-page-1/#comment-8 Marcus Del Greco Wed, 17 Jun 2009 18:45:17 +0000 http://software.unh.edu/?p=42#comment-8 Henninger's got a post in the works about client-side validation. We've got this one covered... Henninger’s got a post in the works about client-side validation. We’ve got this one covered…

]]>