Yes, it's not quite clear whether you're responding to things Shane or I said, Jeremy.
Just to be clear, I too was never arguing that client-side validation provided any security. It was the outlash against it--because it didn't help with that--which I was arguing against. As you say, it's valuable for user convenience and to save round trips, and that was my only contention. In other words, we shouldn't throw the baby out with the bathwater. And few would argue with the assertion that "validating the incoming data and protecting against incoming injection attacks is not all that difficult if you do it properly from the start." But Shane made a good point about how sometimes we can only propose what should be done. We can't always dictate what must be done. And for that reason, I'd argue that at least some client validation would be better than none at all. Sure, it won't stop a determined hacker, but really, not much will. But not everyone has something really valuable to protect. And like you guys have said, there's a sliding scale or the cost of protection against the value of the assets. Still, we could all definitely stand to know far more about the risks and the solutions, so that we can make informed decisions. And for that, we're really fortunate to have Dean Saxe on hand to keep us on our toes! :-) I really don't mean by any of my comments here to diminish the value and importance of the kind of security consulting he offers. /charlie -----Original Message----- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Shane Sent: Monday, March 23, 2009 10:10 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] over-stating security concerns? (was RE: ValidateAt parameter is effectively only client side ) Unless I missed something, I don't think anyone was suggesting that client side validation provides any security. I was just stating that, in general, decisions should be based on the bottom line, not a particular view - even if that view is right most of the time. Regarding things you "should just do". I had a client that wanted an intranet app. He wanted the rock bottom lowest price. I explained all of the features he could leave out, including anything other than very basic server side validation (OK - I admit cfqueryparam is pretty much a must do). I fully explained all of the risks and strongly recommended certain measures but he made the choice to go lowball. I got it in writing but he paid the bills. His choice. Much of what I left out was in the must do column - at least in my opinion. All that said, I think we all agree here - this is all just nuance. Shane Heasley www.CTek-Media.com ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
