[nycphp-talk] Injection Attack, any ideas?
David Krings
ramons at gmx.net
Sat Nov 17 10:19:29 EST 2007
Gary Mort wrote:
> David Krings wrote:
>> Exactly! All input is evil, even when it comes from your database and
>> your script. There is no good reason not to check input each and every
>> time, there are only bad excuses for not doing it.
>>
>
> Well, by that token you should maintain a digital signature of every
> script that runs, and PHP should check those signatures before running
> the program. Than of course every program should be checking the
> digital signature of php itself on the server to make sure no one
> tampered with that. Oh, and you might as well be checking digitial
> signatures of any other php file you plan on including before you allow
> it to be included.
>
> Of course, eventually all this checking is going to drag your
> performance down to an unacceptable level. But that's a bad excuse for
> not doing it.
> :-)
>
> -Gary
>
But since when are scripts considered input?
More information about the talk
mailing list