| Author |
Re: [PEAR] Quickform security question
|
|
| Alexey Borzov 2005-09-29, 6:57 pm |
| Hi,
l Burnerheimerton wrote:
> Can a malicious user compose a fake submission, using
> telnet or some other means, and bypass Quickform
> validation?
Can I have some stuff you smoke there?
| |
| l Burnerheimerton 2005-09-29, 6:57 pm |
| --- Alexey Borzov <borz_off@cs.msu.su> wrote:
> Hi,
>
> l Burnerheimerton wrote:
> using
>
> Can I have some stuff you smoke there?
>
Read chapter 2 of this then you can smoke all you
want:
http://shiflett.org/php-security.pdf
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
| |
|
|
| Alexey Borzov 2005-09-29, 6:57 pm |
| Hi,
l Burnerheimerton wrote:
>
> Read chapter 2 of this then you can smoke all you
> want:
> http://shiflett.org/php-security.pdf
While I'd really like to have this fine guide delivered to me printed on toilet
paper (that's the only form in which it is actually *useful*), I now understand
your concern.
QuickForm's manual actually states:
"QuickForm can generate the javascript necessary to validate the form on the
client side. This feature works for all standard elements and for groups. Server
side validation is always performed in case the client has javascript turned off."
In case it is *still* not clear: you only can bypass client side (as in:
javascript) validation by using telnet or whatever. After that server side
validation kicks in and that is always on in QuickForm.
[1] http://pear.php.net/manual/en/packa...-validation.php
|
|
|
|