[nycphp-talk] Injection Attack, any ideas?
Gary Mort
bz-gmort at beezifies.com
Sat Nov 17 08:29:46 EST 2007
David Krings wrote:
> Exactly! All input is evil, even when it comes from your database and
> your script. There is no good reason not to check input each and every
> time, there are only bad excuses for not doing it.
>
Well, by that token you should maintain a digital signature of every
script that runs, and PHP should check those signatures before running
the program. Than of course every program should be checking the
digital signature of php itself on the server to make sure no one
tampered with that. Oh, and you might as well be checking digitial
signatures of any other php file you plan on including before you allow
it to be included.
Of course, eventually all this checking is going to drag your
performance down to an unacceptable level. But that's a bad excuse for
not doing it.
:-)
-Gary
More information about the talk
mailing list