Re: Serverside script injection?

At the base of this, I believe, is the principle that 100% of user input must go through a parsing process.

For PHP, this means addslashes(), especially for something that goes into mySQL or any other SQL statement.

I once saw a nslookup tool that took user input in the form of an IP address or a hostname as $input and ran the command system("nslookup $input"); or somesuch; without filtering, we can see the drastic effects this could have (ns.php?input=127.0.0.1%20&&%20rm%20/%20-rf).

-James Ferrara
SIG: Looking for an internship in the Wash DC area.

>To:joh ket <johket@hotmail.com>
>cc:webappsec@securityfocus.com
>bcc:
>Subject:Re: Serverside script injection?
>From: Peter Conrad <conrad@tivano.de>
>
>Date: 01/13/2003 09:12 AM CET
>
>Hi,
>
>On Fri, Jan 10, 2003 at 09:05:31AM -0000, joh ket wrote:
was
>> possible to execute OS-commands through URL/userinput manipulation,
script
>> injection' is possible or not (assuming the programmer/coder does not
want
>> any security).
Received on Mon Jan 13 03:44:35 2003