[infinitylimit]

Oh how I love to scare people with XSS and SQL injection but really what it comes down to is the value of what you are trying to protect. If you are CIO for a multi-million dollar business that is dependent on having 24/7 ecommerce availability then you better invest alot of time in securing not only your code but everything from your provider to the server.

However if you are just programming some mom and pop's store that are getting an ecommerce site because "it's what your suppose to do" then I don't suspect the value of that data is near the worth. I'm sure that people might say that is callow.

As far as the actual ease of process of an attack, well... that really depends on who you talk to. Like for instance all the variables in the url for this thread. I'm sure you could just start putting various back-ticks and semi-colons in the query string and make it error in an usual way. But being able to directly access the database requires a bit of knowledge of the use of that variable within the program. You might download vBulletin® Version 3.6.4 and trace the $_GET['p'] variable until you find it within a SQL statement, or in a php statement that you could exploit. There might not be one so you would have to hunt down another attack vector.

It's a game of persistence of the attacker, and perceived value of exploit.

[sushi4664]

Quote:

Originally Posted by Psybadek

so your saying your not going to give credit for the function?

Quite the opposite...I am asking End User to provide me with a way I can attribute/link the code to him.

[sushi4664]

I'll do both

[End User]

Quote:

Originally Posted by sushi4664

Quite the opposite...I am asking End User to provide me with a way I can attribute/link the code to him.

Well, you can credit it to "End User" if you want, but I borrowed a lot of the base code from a CodeIgniter function, so I can't claim it's mine.

[sushi4664]

^^AHHH errors...how is my post at 10:55 before 10:56?

[End User]

Quote:

Originally Posted by infinitylimit

Oh how I love to scare people with XSS and SQL injection but really what it comes down to is the value of what you are trying to protect. If you are CIO for a multi-million dollar business that is dependent on having 24/7 ecommerce availability then you better invest alot of time in securing not only your code but everything from your provider to the server.

I think a lot of the time they couldn't care less about the data, what they want is to crack the site or server so they can use it as a platform to serve warez, drop malware, make it part of a spam bot net, or use it for a phishing site. (I notice a lot of phishing sites are located in application image directories or similar locations where they aren't visible from a cursory examination.)

XSS and SQL injection are real problems and they're often fully automated. It's not a lone hacker trying to mess with your site, it's bot nets fuzzing every form they can find testing out long lists of common exploits. If your site is vulnerable, the chance of it getting hammered by a bot is actually pretty good.

[End User]

Quote:

Originally Posted by sushi4664

^^AHHH errors...how is my post at 10:55 before 10:56?

That can happen for very large values of "10:55".

[sushi4664]

Hahaha...that made me laugh

[infinitylimit]

Quote:

Originally Posted by End User

If your site is vulnerable, the chance of it getting hammered by a bot is actually pretty good.

Let's be clear. I'm not saying it doesn't happen, I'm not saying don't care about security. I'm saying be lazy, in essence. If your securing say you're favorite Wow (insert your own addiction) clan server, with the latest of your clan's news and maybe a forum. What do you care if that crap is lost? Just use mysql_escape_string and call it day? are they paying you to care?

If your securing fort knox, a bank or something hella valuable. Start at the ground floor. You start at your provider, check routers, servers, etc all the way up to the code level and secure it. Because yes killing and sanitize beyond escaping is good, how many times have you seen a site get brought down via DNS or other protocols excluding anywhere your code touches.

You could say that you should learn to always write secure code, or that you need to always do x,y,z but it just ain't true. How many possible non-printable characters do you remember? There are just something things that are ridiculous to do on a small scale, and no offense to our readership here but well... enough said I think.

(steps in his asbestos underwear)

[End User]

Quote:

Originally Posted by infinitylimit

Let's be clear. I'm not saying it doesn't happen, I'm not saying don't care about security. I'm saying be lazy, in essence.

Well, it sure looks like that's you're saying.

Quote:

Originally Posted by infinitylimit

What do you care if that crap is lost?

Because it's my crap, that's why.

Quote:

Originally Posted by infinitylimit

Just use mysql_escape_string and call it day? are they paying you to care?

They're paying me to do a job right, so yes, I care.

Quote:

Originally Posted by infinitylimit

how many times have you seen a site get brought down via DNS or other protocols excluding anywhere your code touches.

That's not the point. That's like saying "don't wear a seatbelt because the accident you're in may be caused by another driver and not by you".

Look, I'll write the most secure code I can. Period. If there's a problem, it won't be due to my laziness. There's lots of things I can't guard against but my own code isn't going to be one of them. Damn if I want to explain to a client that, "Yeah, gee whiz, I shoulda protected yer data but it seemed like a lotta work, you know?"

Quote:

Originally Posted by infinitylimit

You could say that you should learn to always write secure code, or that you need to always do x,y,z but it just ain't true.

That's exactly what I'm saying. You should learn to always code securely. Always. There's no good reason not too, unless you don't care about the quality of your work or what happens to your data or your customer's data. If you don't care that your server is compromised, burnt to the ground, and used to serve kiddie porn, then by all means, don't worry about security.

Quote:

Originally Posted by infinitylimit

How many possible non-printable characters do you remember?

None, and that's why I don't bother to memorize stuff like that. I use a common security practice called "least inclusion", where only valid characters are allowed. Don't make up huge lists and try to screen out characters, make a small list of what's allowed in and ignore everything else. This is basic stuff and standard practice taught in any programming course.

Quote:

Originally Posted by infinitylimit

There are just something things that are ridiculous to do on a small scale, and no offense to our readership here but well... enough said I think.

I have to admit that I'm surprised that you would take this stance and consider data security to be generally needless.