Jonkman Microblog
  • Login
Show Navigation
  • Public

    • Public
    • Network
    • Groups
    • Popular
    • People

Conversation

Notices

  1. Hypolite Petovan (hypolite@friendica.mrpetovan.com)'s status on Friday, 17-May-2019 15:15:53 EDT Hypolite Petovan Hypolite Petovan
    Personal bookmark: www.sqreen.com/checklists/php-…

    I doubt I can apply it in its entirety to #Friendica without major rewrites, but I'll try my best!

    #php #webdev #security www.sqreen.com/checklists/php-…
    In conversation Friday, 17-May-2019 15:15:53 EDT from friendica.mrpetovan.com permalink
    1. Hypolite Petovan (hypolite@friendica.mrpetovan.com)'s status on Friday, 17-May-2019 16:55:37 EDT Hypolite Petovan Hypolite Petovan
      in reply to
      @Hans W You are simply wrong about most of what you said:
      • Yes, you can do some filtering on input, but when dealing with most arbitrary strings you're pretty much powerless on user input. In these cases, you have to escape the data on display, depending on the context. For example, you don't escape the same way a string that's meant to be in an HTML attribute value than in a text node (like most post content). You can't always make this distinction when you store the data, and it's going to be escaped in the database, which is useless and hard to read manually.
      • PDO can prevent you from concatenating raw user input in SQL queries.
      • ORM removes the need to write SQL queries and as such writing insecure SQL queries.
      • Not trusting open_basedir doesn't prevent you from setting it in the first place.
      This doesn't inspire me trust towards the two remaining claims (session Ids and readfile executing PHP) I have no personal experience about.
      In conversation Friday, 17-May-2019 16:55:37 EDT from friendica.mrpetovan.com permalink
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

Jonkman Microblog is a social network, courtesy of SOBAC Microcomputer Services. It runs on GNU social, version 1.2.0-beta5, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All Jonkman Microblog content and data are available under the Creative Commons Attribution 3.0 license.

Switch to desktop site layout.