NYCPHP Meetup

[Dan Cech]

tedd wrote:
>>  > Any ideas about how I can reproduce this problem would greatly
>>>  appreciate and any suggestions about how to fix it would be even more
>>>  greatly appreciated.            8-)
>>>
>>>  Thanks for your attention.
>>>
>>>
>>>  --
>>>  Best regards,
>>  >  mikesz                          mailto:mikesz at qualityadvantages.com
>>>
> 
> Scrub and clean all user input.
> 
> My understanding -- nothing can get in unless you allow it (barring
> server breaches).
> 
> Here's an example of js injection:
> 
> http://webbytedd.com/bb/insecure-form/
> 
> SQL injection (as I understand it) is simply allowing the user to
> prepare (in part) the SQL query. Scrub and clean user input and prepare
> the query yourself as per what you will allow.

With all due respect, this is bad advice.  The decision to allow or
disallow certain content is a business/application decision, not a
security decision.

If you display content properly *as content* then it does not matter
what it is.  The security problem here is NOT the data, it is the fact
that the data is being displayed *as code*, in this case html code.

The fact that your example demonstrates the proper approach (using html
escaping to display the user data) rather than 'scrubbing and cleaning'
the input makes this advice even more confusing.

Dan