Cheap Web Hosting for Developers

PHP, MySQL, Java, Unix Cheap Web Hosting

144 Chapter 4 Web Application Concepts Bringing data

Filed under: Web Applications Development With PHP4.0 — webmaster @ 05:18

144 Chapter 4 Web Application Concepts Bringing data from a lower security level to a higher level (as when importing user variables) requires more care.You can t assume that the supplied data meets any requirements not even if you supplied the data to the client in the first place. For example, you could check data in an HTML form with JavaScript on the client side, but you can t assume on the server that the data is in the format you expect because the user could have turned off JavaScript, or could have submitted the form from a Telnet prompt.Another common error is supplying data to the user and taking it for granted that it doesn t get changed. For example, a page might display account information for a user, called after the user has logged in with a query string like script.php3?user_id=1. Of course, nothing prevents the user from changing the variable user_id to something other than 1 and editing anyone s data. Many Web applications today check contents provided by one user for another user. For example, it will be hard to find a message board allowing you to enter as a keyword, and would actually get a JavaScript pop-up message in the browser (if JavaScript is enabled).As long as users enter the search terms themselves,this isn t much of a problem; the worst case would be that they crash their own browsers with malicious JavaScript. But wait.Why shouldn t users point others to the results for a certain search they find useful? For example, on phpWizard.net you can find a form that automatically searches Amazon for all PHP-related books. Now the issue gets hairy.An attacker can have a link to search results for the term on his or her public Web site.All users who follow this link (or submit the search form) will get the infamous Hello World message as a pop-up message in their browsers.You can do a lot more dangerous things than displaying messages, though. If we extend the example a little bit, we can use phpVista as a search engine in an e-commerce Web site, which uses proper session management and stores the session ID in cookies. If we also increase our attacker s IQ, he or she drops the Hello World pop-up and uses another JavaScript instead to read

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP MySQL Web Hosting services

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Sorry, the comment form is closed at this time.

Powered by Cheap Web Hosting