On 5/21/2010 10:36 AM, Jim Lucas wrote:
Al wrote:
On 5/21/2010 9:24 AM, David Otton wrote:
On 20 May 2010 16:51, Al<news@xxxxxxxxxxxxx> wrote:
I'm not being clear. First pass is thru the blacklist, which effectually
tells hacker to not bother and totally deletes the entry.
If the raw entry gets past the blacklist, it must then only contain my
whitelist tags. e.g., the two examples you cited were caught by the
whitelist parser.
Ah, gotcha. That seems like a much better approach to me. But if the
whitelist's going to stop the submission, then why bother with a
blacklist at all?
Like I said above, First pass is thru the blacklist, which effectually
tells hackers to not bother and totally deletes the entry.
Also, it's possible that one of my non-techie users can unwittingly
enter hack code. I want to make a big deal of it. My error messages says
in red "Illegal code entered. It was not saved. Reenter your text
without it." Remember, I show them the error segment so they know
exactly what the problem is. There is also another msg which says to
contact tech support with a link.
Do you actually "show them" the error. That would give away your mystical
powers of detection... :)
Keep in mind that my users are authenticated before being allowed access. So,
I'm covering the situations where my user's PW has been stolen or the hacker got
past the auth.
Fact is, I mainly want to prevent malicious scripts from being placed on my
pages rendered as HTML. I just spent some time helping a website I designed
some years ago, but have not been involved for two years, investigate a hacking.
The folks maintaining the site ignored all of my recommendations for good
security practices. Bottom line: 920 html and php files that generate html have
a script that sends every visitor's IP and the page's URL to a website in RU. I
don't know why they want this info, the site belongs to a running club.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
