Re: advice on sql injection/XSS prevention

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Actually there is a tool available for automated validation of PHP code. It's called static source code analysis which, very simply stated, acts like a spell checker for custom developed code. This tool is very accurate at finding, especially SQL injection and XSS, and can be run directly against the source code so it doesn't need the application to be up and running. 

This company

http://www.armorize.com/services/securityasaservice?utm_source=jordan&utm_medium=post
is offering this kind of tool delivered as a service directly over the Web which means you can either request that those authorized people verify thier code security before posting, or you can do it after they have posted. The tool shows the vulnerability as well as the tainted origin that introduces it and provides fix suggestions, etc so everything can be fixed in a very short time with very little effort -- no installation required. 


From: Zoltán Németh <znemeth@xxxxxxxxxxxxxx>
To: Bing Du <bdu@xxxxxxxxxxx>
CC: php-general@xxxxxxxxxxxxx
Subject: Re:  advice on sql injection/XSS prevention
Date: Thu, 05 Apr 2007 16:23:23 +0200

I think it is generally a Bad Idea to allow users to submit code into
your system...
you would be better off if you would provide some pseudo-coding
possibilities which would allow them to insert certain functionalities
into their content - with you providing the real code running behind and
replacing the pseudo-codes with the process results

greets
Zoltán Németh

2007. 04. 5, csütörtök keltezéssel 09.17-kor Bing Du ezt írta:
> Hi,
>
> I'm not an experienced PHP developer. We're hosting a content management > system that allow authorized people to add PHP contents. Their PHP coding 
> levels varies.  Some are very security sensitive, but some are not.  I
> want to know if PHP has any ready-to-use funtion to validate form input to > help prevent SQL injection/XSS? So each programmer doesn't have to write 
> their own form validation code.  I'd appreciate any advice or pointers.
>
> Thanks in advance,
>
> Bing
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



_________________________________________________________________
Message offline contacts without any fire risk! http://www.communicationevolved.com/en-za/ 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux