On 17/08/16 00:43, Yasuo Ohgaki wrote: > Allow me to top post. > > "The input validation" is not for legitimate users, but for attackers. > You shouldn't help attackers by explaining what/how wrong in attackers' > inputs.
What is expected as 'post' data input is defined when building the page. That some people will intercept the page and try to use it to inject 'invalid' data in an attempt to perhaps gain access to data is a separate problem, but still part of the validation process. One of the hacks I had to deal with recently was simply an xss hole because nobody filtered or trimmed the username. So you could just type what you wanted. Simply add a suitable pattern to the html5 validation and the casual hacker is averted ... but how many PHP examples actually use html5? Of cause someone can build their own result set and bypass the browser validation. Which is where some cleaver use of javascript might help to add a security check to the submit packet. Outside PHP, but still part of the overall picture. In any case once the get/post array is in PHP there is a need to recheck everything once again and while the average user may not happy simply to bounce the page if the username field now has an invalid imput, other systems will want to log the attempt and perhaps capture any source information. White screen crashes because someone has broken the data can be difficult to unravel especially when it's some consented effort to get in ... in my case someone trying every possible Mysql hack against firebird :( So I end up with extra code to filter the attack attempt and that tends to have to be at the variable level. It can be useful to give feedback simply to get them to give up without an explanation why. Simply crashing the page means they try the next option until they do get a response ... -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
