On Wednesday, February 26, 2003, at 04:24 PM, David Smith wrote:
<quote who="Wade Preston Shearer">i'd like some expounding on this as well...
do i need worry about security if i'm not doing anything secure or any credit card stuff?
Yes.
if i'm just using php to display dynamic content in templates, are there big security issues that i need to consider?
Depends, but probably: yes.
Your biggest concern is when you receive user input, and then display that
input in the form of HTML later. A user could embed malicious JavaScript
or some variant that performs unfavorable actions. Consider this
hypothetical example:
On a singles site, registerd users can send eachother messages. If I embed
JavaScript in a message and send it to another user, when they view my
message, my JavaScript executes. And it executes with all their
permissions. So, I could write code to go change their password (by
submitting a form) and/or mail me their user name. This sort of code could
be brewed up in a few sall hours. You can see the repurcussions.
If you don't take any user input, then your only major concern is keeping
your PHP up to date.
--Dave
____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://phantom.byu.edu/cgi-bin/mailman/listinfo/uug-list
____________________
BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________
List Info: http://phantom.byu.edu/cgi-bin/mailman/listinfo/uug-list
