NYCPHP Meetup

[Jim Hendricks]

> So, what's keeping me from saving your HTML to disk, editing it to remove
> the Java'sCrap validation, refreshing, entering bogus data that'll mess up
> your system into the reworked form and then submitting the form?
> Nothing.  Even if you do referrer checking, I can forge that.  In short,
> if you want security, data must be validated on the server.
There's everything stopping you.  All my systems are built off a proprietary
security system which first ensures that the person submitting the form is
logged
into our system.  There are additional checks that ensure the sequential
integrity
of any submit.  So the only person who can make such an attack on one of
our systems must 1. be a good enough hack to know how to do something like
this.  2. want to mess up our systems.  3.  be a valid user in the system,
or
have the ability to hack into the system.  4.  have the ability to hack our
other
form security checks.  Can someone meet the bill?  Sure.  But how about
calculating the odds.  Then of course there is the database.  Our systems
have
many different validation checks on the db server.  From relational
integrity
checks to range checks to sequential integrity checks etc.  So now not only
does this hack need to do all the above, but he must figure out what bogus
data he can get away with putting into our system.

Is it foolproof?  Of course not, there's no such thing.  Is it good enough?
Depends
on who you talk to.  I have been in the business for 20 years.  Been in the
web
business for 9 years.  None of my customers have ever had a system hacked.
That
doesn't mean I can forget about security, it's just that why build Fort Knox
to ensure
someone doesn't steal my penny?  Writing custom applications ( which is all
I do ) changes completely how you program. I must be programming for the
needs
of the customer and within the budget of my customer.  When I first started
working
in the web environment I was major concerned that http was insecure and a
users ID & password were passed in the clear.  The threat of a lurker seemed
very
real.  Now we have https, and via various means ( many using JavaScript )
keep
the password secure.  Prior to having these solutions though, I never had a
problem with lurkers.  Didn't necessarily make the threat unreal, just put
the threat
into the perspective of how few people have the skill to lurk & pick out
specific
security related items, and how fewer still are the people who would want to
use
that skill to break into a proprietary data system.

So, if I want security, I can still validate on the client.

> Perhaps because they figure it's not worth doing business with such a
> firm.  I certainly don't.
I didn't ask you to business with my company.  You have your choice.  I have
been
very successful without you so far!  And even if you wanted to do business
with my
company, it's totally up to you what tech we use for you.  If you want zero
javascript,
so be it.  We will explain the design issues that would be affected by such
a decision
as well as any monetary changes.  You get to choose as the customer what you
want and if you want to pay for Fort Knox to protect your penny, then we
will build
Fort Knox for you so long as you pay.

> > > But they all fall flat on their face when JS is off/unavailable,
making
> > > your site unusable.
> >
> > True, but if the client wants to get rid of the page redraw & associated
> > delay
> > during validation, then you WILL do JS and let the client know that the
app
> > will not work with JS turned off.
>
> Nope.  If a firm doesn't trust my professional judgement, we're not meant
> to be doing business together.
Dan, I'm sorry you take such a hostile approach to application development.
Our
clients pay to have applications developed the way they want them.  If my
clients
don't want to respect my professional judgement, that's thier business, I
don't have
to pay for there foolery, they do.  I am more than willing to profit off of
a fool so long
as I have vindicated myself by warning of the foolishness of something I am
about
to do on their behalf.  In fact I have received much more business with this
approach.  I warn them of the danger, they ignore me, they pay for their
ignorance,
they remember that I warned them and are now willing to trust my
professional
judgement much more.