Jay Blanchard wrote:
One of my developers saw the following article;
http://arstechnica.com/news.ars/post/20070802-security-experts-warn-deve
lopers-about-the-risks-of-premature-ajax-ulation.html
How are you securing Ajax? I know that for the most part we send data to
a PHP script for processing, so all of the normal rules for sending that
data apply (mysql_real_escape_string(), etc.)
We secure AJAX the way we do anything that might take form input. We use
intval() and floatval() on numeric fields to flat-out prevent text
entry, we add slashes to strings where appropriate, check lengths and
ranges, and do various other sanity checks. Other than being out of band
and invisible to the user as a direct act, we don't see how AJAX is any
different from normal form GET/POST work.
I do agree with the article that some programmers put too much logic in
the client side, but that's always been an issue, with or without AJAX.
Remember the days when early shopping carts would store item prices on
the client side, and use that data during checkout? You could edit your
local data and knock $20 off an item. That sort of thing. You NEVER
trust the client. Ever. You assume it simply cannot ever be completely
secured. Period. Seeing something like this just shows me a developer
that trusted the client, and it doesn't particularly surprise me when
they get burned.
Regards,
Chad
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
