[FX.php List] [ OFF ] Getting to PCI compliance

Jonathan Schwartz jschwartz at exit445.com
Thu May 19 17:30:28 MDT 2011


Yeah...so would I.

I just signed up a free trial at www.hackerguardian.com, a service 
offered by comodo.com.

Produced a report as long as my arm, covering issues in hardware, 
software, operating systems, web server,  and of course...php code.

Wish I knew what half this stuff was.

Jonathan


>Well, not really; the form in question is asking for name/address, card info.
>
>Filtering how? For some reason I never saw GGT's email.
>
>I have someone who *supposedly* knows how to get this web app to PCI 
>compliance; I'll be curious to see what he says.
>
>BP
>
>
>On May 19, 2011, at 3:16 PM, Dale Bengston wrote:
>
>>  Getting back to your original question... using a regex to strip 
>>characters could alter the data being submitted by users. This 
>>might not work if your regex is stripping, say, characters people 
>>are allowed (even encouraged) to use in passwords. To defend 
>>against SQL injection and cross-site scripting, you need to 
>>properly encode user input so that characters used in scripts and 
>>queries are seen as part of text strings and not processed as part 
>>of the query to "hijack" what you're trying to do.
>>
>>  To echo GGT, you *are* filtering your users' input, aren't you?
>>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list


-- 
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-370-5011


More information about the FX.php_List mailing list