Conversation

Notices

1. Hypolite Petovan (hypolite@friendica.mrpetovan.com)'s status on Friday, 17-May-2019 15:15:53 EDT Hypolite Petovan
   Personal bookmark: www.sqreen.com/checklists/php-…
   
   I doubt I can apply it in its entirety to #Friendica without major rewrites, but I'll try my best!
   
   #php #webdev #security www.sqreen.com/checklists/php-…
   1. Hypolite Petovan (hypolite@friendica.mrpetovan.com)'s status on Friday, 17-May-2019 16:55:37 EDT Hypolite Petovan

      in reply to
      @Hans W You are simply wrong about most of what you said:

      • Yes, you can do some filtering on input, but when dealing with most arbitrary strings you're pretty much powerless on user input. In these cases, you have to escape the data on display, depending on the context. For example, you don't escape the same way a string that's meant to be in an HTML attribute value than in a text node (like most post content). You can't always make this distinction when you store the data, and it's going to be escaped in the database, which is useless and hard to read manually.
      • PDO can prevent you from concatenating raw user input in SQL queries.
      • ORM removes the need to write SQL queries and as such writing insecure SQL queries.
      • Not trusting open_basedir doesn't prevent you from setting it in the first place.

      This doesn't inspire me trust towards the two remaining claims (session Ids and readfile executing PHP) I have no personal experience about.