[nycphp-talk] User Input Data scrubbing
mmwaldman at nyc.rr.com
Sun Nov 30 00:47:26 EST 2008
<script> alert('hi'); </script>
' delete from users;
" delete from users;
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Konstantin Rozinov
Sent: Saturday, November 29, 2008 10:27 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] User Input Data scrubbing
does anyone know where I can find a list of sample MALICIOUS data that
i can input into my forms to see how the code reacts?
i'm not looking for any automation or program, just the actual sample
data. i'm trying to do QA on my code.
any help would be greatly appreciated. thanks.
On Sat, Nov 29, 2008 at 12:12 AM, Elijah Insua <tmpvar at gmail.com> wrote:
> Yeah, or these two words: "Filter Input"
> Which ever route you take. you also need to do sql injection cleansing.
> scrub, rinse, repeat.
> On Fri, Nov 28, 2008 at 8:00 PM, Chris Shiflett <shiflett at php.net> wrote:
>> On Nov 28, 2008, at 16:59, Michele Waldman wrote:
>>> What about inserting a comment
>>> <script>alert('hi');</script>'; delete from users;
>>> Like I'm going to name my table users?
>>> With that one statement about they have performed a sql injection and
>>> html injection in one stroke.
>>> Bada bing bada bang bada boom
>>> Next time I display their comment out of the database they are popping
>>> an alert to every user and my users are gone.
>> Two words: escape output
>> Chris Shiflett
>> New York PHP User Group Community Talk Mailing List
> New York PHP User Group Community Talk Mailing List
New York PHP User Group Community Talk Mailing List
More information about the talk