PSA: Sanitize User Input!

[IEC]

<-- FuseTalk is a prime example of what NOT to do.

At my workplace any code I write does this. Yes, it can be tedious and repetitive to ensure that data follows a strict format/type/is sanitized. But it is pretty simple to do and will help prevent malicious attacks.

 

[Red Squirrel]

lol that was fun..... but yeah VERY important. Some people don't consider a drop down or check box user input, but it is. Basic understanding of HTTP protocol (or even just TCP as this does not only apply to HTTP) will show why. A drop down is just a GUI feature. In the end your browser is just assigning a value to a variable and shooting it off to the server. A check box has the value of null or "checked" (I think... been a while) but nothing stops a user from giving it the value of "';drop forum;" or something to that extent. (probably not the best or even working example of sql injection but you get the drift)

 

[Ken g6]

Nice! Likely to get you banned...but nice!

Edit: And that was before I read the announcement.

 

[LumbergTech]

I am finishing a secure coding class tomorrow and this was basically the theme of the entire class..."DONT TRUST USER DATA"

 

[Markbnj]

No bans unless they leave the avatars in past 10 PM this evening. However, I think a better course in general is to notify the webmaster of a site when you find a vulnerability, not exploit it .

 

[Ka0t1x]

Oh definitely.. report it.. but its more fun to abuse for the time being...

You learn the hard way then never again trust it. Creating a quick function or class (PHP) to handle user input is so useful, its usually one of the first pieces dropped into anything I code.

 

[Cogman]

Originally posted by: Markbnj
No bans unless they leave the avatars in past 10 PM this evening. However, I think a better course in general is to notify the webmaster of a site when you find a vulnerability, not exploit it .

PPPPppsssshhh. You're just mad you didn't get into the custom avatar action

I somewhat agree though. Don't do malicious exploits to prove a point, ever. All-In-Good fun exploits are fun though

 

[Markbnj]

Originally posted by: Cogman

Originally posted by: Markbnj
No bans unless they leave the avatars in past 10 PM this evening. However, I think a better course in general is to notify the webmaster of a site when you find a vulnerability, not exploit it .

PPPPppsssshhh. You're just mad you didn't get into the custom avatar action

I somewhat agree though. Don't do malicious exploits to prove a point, ever. All-In-Good fun exploits are fun though

It's strange, but in my experience webmasters and security types don't much see the humor even in the "all-in-good-fun" types. But anyway, yeah, this was pretty harmless. But it still got "Sticky from God" treatment in every forum on the boards .

 

[troytime]

Originally posted by: Markbnj

Originally posted by: Cogman

Originally posted by: Markbnj
No bans unless they leave the avatars in past 10 PM this evening. However, I think a better course in general is to notify the webmaster of a site when you find a vulnerability, not exploit it .

PPPPppsssshhh. You're just mad you didn't get into the custom avatar action

I somewhat agree though. Don't do malicious exploits to prove a point, ever. All-In-Good fun exploits are fun though

It's strange, but in my experience webmasters and security types don't much see the humor even in the "all-in-good-fun" types. But anyway, yeah, this was pretty harmless. But it still got "Sticky from God" treatment in every forum on the boards .

yeah, i kinda see both sides...but i definitely wouldn't flaunt things in this community.
years ago i discovered the ability to change the polls associated with other threads here on the AT forums. I shared my findings to the admin but never heard back and the fix was never implemented (until the fusetalk conversion from cold fusion to .net happend)