A lot of apps (anti-vir, etc...) uses blacklisting and this is somewhat ineffective specially towards problems that you haven't encountered yet. Explicitly and selectively allowing methods, functions, applications will prevent exploitation.
On 11/4/06, Raymond Olavides <[EMAIL PROTECTED]> wrote:
On 11/3/06, Matt Arnilo S. Baluyos <[EMAIL PROTECTED] > wrote:On 11/3/06, mungkey < [EMAIL PROTECTED]> wrote:
> Hehehe, oo murag inana gyud na toykhu. sa una gani naa pud to nga butangan
> lang nimo og backlsash zero sa end, then pwede nasab la maka butang og new
> query like insert or update, if naay insert priv ang imong gi injekan, sure
> na. pero usually kanang mga quote gyud ang maka tabla. I believe naay filter
> or sanitizer ginagamit sila ni matt and ardie sa ilang mga ajax apps. mas
> maka explain sila ani og gi una pud nila ... kana kung di sila busy. hehehe.
> busy raba daw tong duha nako ka mga aydol sigi ... hehehe.
It's a framework na pwede makuha sa Internet. kses ang ngalan and you
can get it at http://sourceforge.net/projects/kses
I think it's the one used by Wordpress. Amo lang dayon tong gi-wrap sa
isa ka class para mubagay sa among API.Yup! kses is the one used by wordpress. I prefer to use phpinputfilter, the one used by Joomla!. btw, phpinputfilter now has a PEAR package.The difference with kses and phpinputfilter is in their filter implementation, whitelist allowed tags/characters and blacklist unwanted tags/characters respectively.Best practices papers suggests that whitelisting should be the way to go in filtering user input - which is what we are doing when do a switch case statement. I prefer phpinputfilter as it is more popular, and to my knowledge being constantly updated (the PEAR package) and to my tests hasn't allowed me to inject unwanted characters into the database.Basta kung sqlinjection istoryahan, never trust user input. Always validate and sanitize input. One just have to be disciplined enough to pass all user input to a good sanitizer/filter at every load of your script or at every receipt of input from client.---
_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph
--
"A dog that has no bite, barks loudest."
Registered Linux User #400165
Subscribed to:
LARTC, Open-ITLUG, PRUG, KLUG, sybase.public.ase.linux
_________________________________________________ Kagay-Anon Linux Users' Group (KLUG) Mailing List [email protected] (http://cdo.linux.org.ph) Searchable Archives: http://archives.free.net.ph
