Re: [Phpwebsite-developers] Security Explained

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Shaun Murray said:

> 
> On 3 Sep 2004, at 14:29, Jim Wilson wrote:
> >
> > Hmmmm...it just occurred to me that we could parse and remove 
> > "module=" (like
> > an obscene word).
> >
> 
> If we did, then users wouldn't be able to create links or images that 
> included module=, so no links to stuff on your own site or to other 
> phpwebsite sites as well as quite possibly on other CMS systems that 
> have module= in the url.
> 

Oh right...but of course such links are a potential security issue since a low
tech admin could unknowingly click on a posted link that executes something
bad.  This might be the worse of two evils decision for some installations.

Maybe parsing for a list of the op values (e.g. "=delete") would be better.

Best,

Jim