[FX.php List] [ OFF ] Getting to PCI compliance

Bob Patin bob at patin.com
Thu May 19 17:09:38 MDT 2011


Well, not really; the form in question is asking for name/address, card info. 

Filtering how? For some reason I never saw GGT's email.

I have someone who *supposedly* knows how to get this web app to PCI compliance; I'll be curious to see what he says.

BP


On May 19, 2011, at 3:16 PM, Dale Bengston wrote:

> Getting back to your original question... using a regex to strip characters could alter the data being submitted by users. This might not work if your regex is stripping, say, characters people are allowed (even encouraged) to use in passwords. To defend against SQL injection and cross-site scripting, you need to properly encode user input so that characters used in scripts and queries are seen as part of text strings and not processed as part of the query to "hijack" what you're trying to do.
> 
> To echo GGT, you *are* filtering your users' input, aren't you?
> 



More information about the FX.php_List mailing list