On Tuesday 07 August 2007, Dan wrote: > I know how you can use cross site scripting if you can steal cookies and do > bad stuff with JS. My question now though is if I have a form, and I post > to myself and just echo the value of that post, is that bad? Nobody else > would see the result of my post so no malicous JS could ever do anything. > I'm not doing any database calls, just storing what they typed in either an > array or a variable and echoing it. Simple as that. Is that insecure? > > - Dan You're fundamentally approaching it from the wrong angle. Do not assume that just because you can't think of a way to break it that there isn't one. Perhaps it just hasn't been invented yet. (XSRF, as a wide-spread concern, is younger than most web apps or CMSes out there.) Assume that someone WILL try to break into your site and do evil nasty things. Assume that person is at least twice as smart as you and knows at least twice as much. Every single point where data enters your code is a security hole until proven otherwise. Every single HTTP header is a Threat until you've conclusively confirmed that it isn't by sanitizing it. Do not ask "why is this insecure?" Ask "is this secure?" If the answer is even "well I think so" rather than "yes, because X, Y, Z", then you still have work to do. Can you conclusively prove that someone can't make use of input that is output immediately back to them for illicit purposes? Then it's a security hole. Given how clever the Bad Guys are, paranoia is a virtue when talking about online security. -- Larry Garfield AIM: LOLG42 larry@xxxxxxxxxxxxxxxx ICQ: 6817012 "If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it." -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
