11-20-2007, 12:21 AM
|
#9 (permalink)
|
|
The Wanderer
Join Date: Nov 2007
Location: according to my wife: on the Net
Posts: 19
Thanks: 0
|
Quote:
Originally Posted by Matt83
As for the validation, i have a little js script i like to use, but its great to see an alternative cause js could be off which would be a problem.
|
Sorry to be the paranoid here again, but you cannot trust client-side scripting (like Javascript). You said it, no validation occurs when someone disables javascript or uses curl to post your form.
As an example: a login screen only validates with javascript and nothing further.
The query to the database is something like:
Code:
$q = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND password = '" . $_POST['password'] . "'";
So if I submit something like "" OR 1=1 '# I can access the site without problem.
One thing you'll learn when you're developing a long time: you cannot trust foreign sources (users, webservices, feeds or whatever that is not made by you). And of course, can you "really" trust yourself ?
Just my 2-cents,
DragonBe |
|
|