Chris W. Parker wrote: > One question. (Because I'm a lame brain when it comes to security as I'm > not good at imagining how things can be exploited): > > Is it bad to give field names the same name as their database > counterpart? i.e. In a database the first name column might be known as > 'fname'. Should a form field called 'fname' NOT be created? As long as you recognize that you need to filter things appropriately it doesn't really matter. Application-level Web security is not that hard. There is just 1 rule to remember. Never trust anything that comes from the user. That includes all GET, POST and Cookie data, which most people understand. But it also includes the User Agent, the Referer, and even the Host header. Anything that comes across the wire in the request can be hacked. If you have written something and you'd like me to take a quick look for any obvious exploits, feel free to mail me privately. If your site requires a login, you can send me a test login if you want so I can dig a bit deeper, otherwise I will still prod it from the outside. I'm not going to hack into your server in any way, just prod your web application a little bit with various web requests. Server-level security is a completely different kettle of fish which mostly comes down to keeping up to date with OS-level security updates. So far about 80% of sites I have looked at have had pretty serious issues. Like that www.vlaamse-kern.com one where you could trick people into sending you their usernames and passwords pretty easily. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
