WebApp Sec mailing list archives
RE: php to do input validation...
From: "Andrew van der Stock" <vanderaj () greebo net>
Date: Thu, 3 Feb 2005 20:26:49 +1100
Yes, if it is done correctly. Certainly, functions which are available for newer apps are always appreciated as far as I'm concerned, such as reasonable XSS controls, validation functions and classes as well as optional HTTP filters like mod_security or URLscan implements. Other successful by default controls: .NET Framework 1.1 SP1 prevents a lot of URL-based XSS due to controls on acceptable characters. This helped prevent split session attacks. 1.1 is simply not vulnerable unless you *really* go out of your way J2EE when used with Struts controls a lot of output XSS as long as you use the most common output beans (bean:write), although older or non-Struts code doesn't benefit from this. So API's which can be transparently made safe would be a boon. In PHP's case, something which escapes: echo and print printf and friends ?>=$foo<?php ?> ... $foo ... <?php (mostly used in eval()'d code) And others by default would be good. Web app code which breaks under this model is usually trying to output HTML binary attachments, which is better done using streams anyway. Thanks, Andrew
-----Original Message----- From: Matthew Wirges [mailto:wirges () purdue edu] Sent: Wednesday, 2 February 2005 12:20 PM To: webappsec () securityfocus com Subject: php to do input validation... I thought this was interesting... http://news.php.net/php.internals/14474 Turns out that there may be input filtering in PHP's future. Maybe even in the next release of 5.x. Read that thread for more information. My question for webappsec, is do you think its a good idea for a programming language to add this sort of functionality? Does it coddle users? Does it give a false sense of security (especially if they aren't implemented right)? Or do the positives outweigh the negatives? Cheers, -matt -- Matthew Wirges IT Security and Policy Analyst Office of the Vice President for Information Technology Security and Privacy, Purdue University wirges () purdue edu :: (765)49-62307 PGP/GPG: EB69 701E EECC 5DD0 E604 0EE0 1346 74BF 5DBC 5ADB
Current thread:
- php to do input validation... Matthew Wirges (Feb 02)
- Re: php to do input validation... Kevin Carlson (Feb 03)
- Re: php to do input validation... Griffiths, Ian (Feb 03)
- RE: php to do input validation... Andrew van der Stock (Feb 03)
- Re: php to do input validation... Darren Bounds (Feb 03)