Post: Re: To all web programmers on El Reg
Re: To all web programmers on El Reg →
Posted Thursday 24th April 2008 10:28 GMT
In Web infection attacks more than 100,000 pages
I'm sure we could debug the code for @Steve Roper. Whether it's the simple ~= should be =~ or the fact that the double quote character " is transformed into the bizarre string &;quot; or that the quote character ' is transformed into a hash symbol #.
This code is fundamentally flawed and is an example of how it is too easy to write a bit of code and believe you are safe. If you are going to filter the input like this then you should allow data that is known to be safe and remove or modify everything else. As we can see from this example, single quotes and double quotes are included but not back-tick. Round brackets are included but not square or curly brackets. What about at or dollar or percent or double hyphen that can have special meaning. The list goes on.
I've seen sites that try to use mechanisms like this. The CEO has to deal with complaints when Mr O'Connor can't book tickets because his name has been garbled.
@umacf24 You are correct. This is an exploit.
@Mark Flingstone - I agree completely.
