Blog Post RSS ?

Blogs » PHP » Guess everyone makes mistakes
« Inspiration
Men in Black Security Guides »
 

Guess everyone makes mistakes

by Harry Fuecks

Gmail accounts ‘wide open to exploit’ through XSS (presumably in the form of an email).

Chris has a good explaination on XSS Self Defence.

While on the subject; was glancing at a PHP book called “PHP 4 Programming for Advanced Web Developers” – you thankfully won’t find in the bookstores (electronic only for a limited online bookstore). Here’s a quote;

You can validate the form data by using client-side scripting languages, such as JavaScript or VBScript, [...], or send the form data to a verification script.

That suggests client side validation is good enough (and makes me want to scream). Think there needs to a place to report misinformation as well as application security holes.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Ping.fm
  • Twitthis

Related posts:

  1. Interactive CLI password prompt in PHP Just a quick tip, since I spent a good hour...
  2. 10 Things to Check Before Using a CAPTCHA Hacking attempts and spam bots are your problem - not...
  3. Do You Make These E-mail Etiquette Mistakes? Although e-mail is a less formal way to communicate, it's...
  4. Why Your Website Statistics Reports Are Wrong, Part 2 In the second part of Craig's series about website statistics...
  5. 5 Holiday Promotion Mistakes to Avoid The holiday season means discounts, giveaways and special offers for...

This entry was posted on Friday, October 29th, 2004 at 6:29 pm, contains 195 words, 6 images, and is filed under PHP. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed. The views and opinions in this blog post are those of its author.

This post has 3 responses so far

  1. Just wish there was mose support for HttpOnly cookies. (Both in non IE browsers, and PHP)

    http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

    RenNo Avatar
    October 29th, 2004 at 8:20 pm

  2. Amen to that Ren.

    https://bugzilla.mozilla.org/show_bug.cgi?id=178993

    jonNo Avatar
    October 29th, 2004 at 8:31 pm

  3. Thanks for the link, Harry. There’s also a plain HTML version available on my Web site that some people might prefer:

    http://shiflett.org/articles/foiling-cross-site-attacks

    Do you have any details about the vulnerability? I know the original announcement was purposely vague, but I presume things have been fixed by now.

    Someone recently sent me a description of a supposed Gmail vulnerability, wanting me to determine whether their findings were valid. I was able to access their account, which was more than they had expected. However, the attack required me to access a URL that should only really be known by the user, and I never had a chance to look into it more. I think details about this recent attack might give me some more perspective about what Google is doing on the server side.

    Chris ShiflettNo Avatar
    October 30th, 2004 at 3:48 am

Your Blogmaster is...

Harry Fuecks

Harry Fuecks

Harry has been working in corporate IT since 1994, with everything from start-ups to Fortune 100 companies. Outside of office hours he runs phpPatterns: a site dedicated to software design with PHP that aims to raise standards of PHP development. He also maintains Dynamically Typed: SitePoint's PHP blog.

Subscribe

SitePoint Newsletters

Get all the latest tips by signing up to all of SitePoint’s informative newsletters.

HTML   Plain

SitePoint Blogs