[FX.php List] [ OFF ] Getting to PCI compliance
Jonathan Schwartz
jschwartz at exit445.com
Thu May 19 17:30:28 MDT 2011
Yeah...so would I.
I just signed up a free trial at www.hackerguardian.com, a service
offered by comodo.com.
Produced a report as long as my arm, covering issues in hardware,
software, operating systems, web server, and of course...php code.
Wish I knew what half this stuff was.
Jonathan
>Well, not really; the form in question is asking for name/address, card info.
>
>Filtering how? For some reason I never saw GGT's email.
>
>I have someone who *supposedly* knows how to get this web app to PCI
>compliance; I'll be curious to see what he says.
>
>BP
>
>
>On May 19, 2011, at 3:16 PM, Dale Bengston wrote:
>
>> Getting back to your original question... using a regex to strip
>>characters could alter the data being submitted by users. This
>>might not work if your regex is stripping, say, characters people
>>are allowed (even encouraged) to use in passwords. To defend
>>against SQL injection and cross-site scripting, you need to
>>properly encode user input so that characters used in scripts and
>>queries are seen as part of text strings and not processed as part
>>of the query to "hijack" what you're trying to do.
>>
>> To echo GGT, you *are* filtering your users' input, aren't you?
>>
>
>_______________________________________________
>FX.php_List mailing list
>FX.php_List at mail.iviking.org
>http://www.iviking.org/mailman/listinfo/fx.php_list
--
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-370-5011
More information about the FX.php_List
mailing list