[FX.php List] [ OFF ] Getting to PCI compliance
dale.bengston at gmail.com
Thu May 19 19:08:42 MDT 2011
GGT has posted several times on this list about filtering/validating user data. He hasn't chimed in this time.
On May 19, 2011, at 6:09 PM, Bob Patin wrote:
> Well, not really; the form in question is asking for name/address, card info.
> Filtering how? For some reason I never saw GGT's email.
> I have someone who *supposedly* knows how to get this web app to PCI compliance; I'll be curious to see what he says.
> On May 19, 2011, at 3:16 PM, Dale Bengston wrote:
>> Getting back to your original question... using a regex to strip characters could alter the data being submitted by users. This might not work if your regex is stripping, say, characters people are allowed (even encouraged) to use in passwords. To defend against SQL injection and cross-site scripting, you need to properly encode user input so that characters used in scripts and queries are seen as part of text strings and not processed as part of the query to "hijack" what you're trying to do.
>> To echo GGT, you *are* filtering your users' input, aren't you?
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
More information about the FX.php_List