Hi Lester, On Fri, Sep 2, 2016 at 7:58 PM, Lester Caine <les...@lsces.co.uk> wrote: > A filter of "is this string corrupted with an injection attempt" seems > rather more difficult to define than "email"? And applying the first in > general on every string when there are as set of simple filters that can > be used ... as an alternative to the more difficult to define ones?
Input validation code does not have to address all of injections. It's output code responsibility to prevent injections in the first place. i.e. Top 10 Secure Coding Practices - #7 https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices Nonetheless, ID validation being poor is not rare even with well known code. parameters like ID is easy to make sure it's safe from any injections. e.g. https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q ID is not the only one, accept language, encoding, referer, etc are common source of injections also. Input validation code is for mitigation against unknown/unaddressed vulnerabilities in entire code not only PHP code, but also language, libraries written by C/C++ and/or external systems such as DB. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
