Jay Blanchard wrote:
One of my developers saw the following article;
http://arstechnica.com/news.ars/post/20070802-security-experts-warn-deve
lopers-about-the-risks-of-premature-ajax-ulation.html
How are you securing Ajax? I know that for the most part we send data to
a PHP script for processing, so all of the normal rules for sending that
data apply (mysql_real_escape_string(), etc.)
Validation, validation, validation. The big danger with doing anything
on the client-side is that it's all to easy to fall into blindly
trusting what the client is giving you, even the smallest assumption can
create a big hole in your app.
Don't assume events will happen the way you expect them to. Don't assume
users won't be able to make requests just because your logic *should
not* allow it.
In short, don't treat it any different to any other web application.
There is no difference, you still need to do all the validation on every
request whether it's AJAX or not.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
