Mailinglist Archive: opensuse (3566 mails)
| < Previous | Next > |
Re: [opensuse] PHP Question
- From: Randall R Schulz <rschulz@xxxxxxxxx>
- Date: Fri, 27 Apr 2007 19:54:07 -0700
- Message-id: <200704271954.07662.rschulz@xxxxxxxxx>
On Friday 27 April 2007 19:09, Cristian Rodriguez R. wrote:
> Randall R Schulz escribió:
>
> In essence you're accepting fragments of PHP code
>
> > from the client
>
> nope. Im accepting a value of type string, that in this particular
> case can be used to execute malicouos code **in the client side**.
But as you said, the PHP is only running on the server.
> You are mixing apples with pears, Sql Injection is one thing and XSS
> is other quite different but caused by the same problem, bad user
> input validation/escaping/whatever. ( not a PHP problem, btw)
You've got to clarify this. I see an HTML form that submits PHP code.
How is that not an avenue for an injection exploit?
What is XSS?
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
> Randall R Schulz escribió:
>
> In essence you're accepting fragments of PHP code
>
> > from the client
>
> nope. Im accepting a value of type string, that in this particular
> case can be used to execute malicouos code **in the client side**.
But as you said, the PHP is only running on the server.
> You are mixing apples with pears, Sql Injection is one thing and XSS
> is other quite different but caused by the same problem, bad user
> input validation/escaping/whatever. ( not a PHP problem, btw)
You've got to clarify this. I see an HTML form that submits PHP code.
How is that not an avenue for an injection exploit?
What is XSS?
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |