[Hunch]

Quote:

Originally Posted by mx

To avoid SQL injection etc.

Yeah, I got what you were trying to say. I just didn't see the distinction in the same way as you described. There are cases where PHP may not need validation (e.g. prepared statements) or Javascript really should (e.g. untrusted "black box" database connector). My point was just that it's impossible to make such blanket statements about any language. Everything is subject to the context in which its used.

[hobolooter]

Quote:

Originally Posted by Hunch

Yeah, I got what you were trying to say. I just didn't see the distinction in the same way as you described. There are cases where PHP may not need validation (e.g. prepared statements) or Javascript really should (e.g. untrusted "black box" database connector). My point was just that it's impossible to make such blanket statements about any language. Everything is subject to the context in which its used.

In this case I'd disagree. It's pretty obvious that server side code should be tested while, client side is there merely to prevent a legitimate user from failing to complete a form. Anything client can be tampered with, therefore testing client side is a waste for protection, end of story.

[Hunch]

Ok, since you disagree, answer me a question:

I have a form which asks you to enter your name. It does nothing more than chuck your name into a database using a mysqli/prepared statement, so that next time you come to the site, it can check for a cookie and greet you personally "Welcome back Hobolooter" style.

What needs to be validated by PHP?

Note: checking whether or not it's a valid name isn't an answer, because the discussion is about looking at this from a security perspective. I might decide I want to be called |-|µ|\|(|-| - is that a problem?

Edit reason: noticed a grammatical error.

[mx]

Quote:

Originally Posted by Hunch

What needs to be validated by PHP?

Every user input into a database must be validated/processed. What if my chosen name is 'Delete * from *' ?

From a security perspective you would need encode/stripslashes etc before you inserted your 'name' into the database, regardless of what your intended use for it would be. Else you would potentially allowing malicious code which could destroy your data, hijack your server etc.

...

Regardless of security or not, the only way you would be able enter data into your database would be through PHP, not Javascript.

[blackf0rk]

hobolooter and mx are right on target. If anything is going to go into a sql statement to execute on a table it needs to be checked/validated so that the data going in is exactly what you're expecting (a valid and harmless string, just a number, etc).

If the user is asked to save just their name, in this example, the person could simply add on to his name a semicolon to try to end the current sql statement and append a new one, like what mx said, "DELETE * FROM TABLENAME"

Many times the attacker is not going to do a DELETE command right away; because they don't know table names or field names. So they'll execute a bunch of code to try and look for table names. When their code fails, they'll get an error back. Depending on what the error says, they know if the table exists or not. They then move on to field names. Once they found a table and a field, they start injecting code. Most often I've seen <script> code that includes a .js file; especially for Web CMS tables/fields.

[hobolooter]

Quote:

Originally Posted by Hunch

Ok, since you disagree, answer me a question:

I have a form which asks you to enter your name. It does nothing more than chuck your name into a database using a (mysqli/prepared statement), so that next time you come to the site, it can check for a cookie and greet you personally "Welcome back Hobolooter" style.

What needs to be validated by PHP?

Note: checking whether or not it's a valid name isn't an answer, because the discussion is about looking at this from a security perspective. I might decide I want to be called |-|µ|\|(|-| - is that a problem?

Prepared statements are touted as being more secure than using a normal query, because you cannot alter them and anything put in will be executed as such. You are correct in saying that that particular form input would not need validation. However, I'm paranoid and do not trust PHP and its plethora of security holes. Null characters, double encoding, etc. all scare me and lead me to believe something malicious is about to happen.

Besides you must agree that it is atleast good practice to validate, even when not necessary. If you have a field called name and someone enters in numbers or a phone number and someone enters in letters, its good to have validation in the backend as well.

[Hunch]

I don't disagree with you at all hobo - you spotted my setup for what it was and my comments below aren't aimed at you in any way. I totally concur that it's good practice to validate data, if for no other reason that you want to sanitize it for easy searching or to remove total nonsense data. I also share the same paranoia with anything coming in from the user-end and I wouldn't pretend otherwise. I accept my example was a little contrived to make a point, but nonetheless I think its illustrated what I wanted to show.

What I took issue with was the blanket statement made earlier in this thread (by someone else) along the lines of "PHP must validate, Javascript is good practice but non-essental etc..." (paraphrasing).

Looking at coding in these black and white "there is only one way" terms is to go against everything that programming means. i.e. considering EVERY case on its individual merits. If you go into something with a singular view of how something should be done, you need to reconsider your entire approach to programming.

mx and Blackf0rk - forgive me for being a little mean, but you've just fallen straight into the little trap I set to make my point. You've given a stock answer about SQL Injection without either understanding the problem, or considering it in isolation. Your "DELETE *" examples would do absolutely nothing in the situation I described, regardless of how many semicolons you throw in. I tried to give a little hint with my bizarre 'leetspeak' name containing all manner of bad characters, but perhaps it was overlooked. Clearly neither of you knows what a prepared statement is, or how it nullifies exactly the kind of attack you've suggested but you confidently answered the question because that's what you've learned before.

And that's really all I was trying to say. Looking at a problem with a pre-ordained answer already firmly fixed in your head, is not how good programmers work. Look at the context of every new problem with fresh eyes and figure out the solution based on it's individual peculiarities. If you have a past solution that will work for you, then go with it. But don't just pick your answer because it looks like something you've seen before. It might not be.

[mx]

You're quite right Hunch.

I hadn't encountered what a 'prepared statement' was, but thanks to Google and you I do now, so thanks.

One of the statements that I've encountered numerous times when learning PHP, is the need to validate any user-defined variables, so clearly they hadn't heard of prepared statements either.

[MikeMackay]

* talking bollocks, ignore me *

[Hunch]

Quote:

Originally Posted by mx

You're quite right Hunch.

I hadn't encountered what a 'prepared statement' was, but thanks to Google and you I do now, so thanks.

One of the statements that I've encountered numerous times when learning PHP, is the need to validate any user-defined variables, so clearly they hadn't heard of prepared statements either.

It's a pleasure, and I appreciate your gracious response - a true sign of class.

One of the problems with Mysql/PHP at the moment is that a huge number of the tutorials on the web are poorly written and largely copied from one another so they propagate at best moderately decent coding practices. However, for a long time now PHP has had the mysqli extension -I'd urge you to investigate it. The 'i' stands for 'improved' simply because it's a better than what went before. Even so, the majority of how-tos on the web are still teaching the old ways. There's nothing inherently wrong with that, but when the PHP developers themselves actually call something 'improved' it's a reasonably safe bet to assume that it's a good idea to use it.

PHP: Mysqli - Manual

[carbide20]

I would say php if you want to do the main programming on websites, etc. Javascript is more for flash effects that enhance the user experience.

[Aakriti]

I would go with PHP.

If you code a web form, you MUST validate the data with PHP, where as Javascript validation is merely good practice.

[Hunch]

Quote:

Originally Posted by Aakriti

I would go with PHP.

If you code a web form, you MUST validate the data with PHP, where as Javascript validation is merely good practice.

Yeah... very funny.

[adaptivmedia]

I'd go PHP because generally there are far more tutorials available on the web for this and PHP will work (and as intended as long as it's programmed error free) regardless of browser. Javascript of course relies upon the end-user having Javascript enabled in their browser which is not too great. Javascript isn't as necessary I don't feel for the beginner programmer. Just get some hosting that has PHP installed and reupload your script and refresh your browser to preview what you do. PHP also has greater possibilities than Javascript with functions in place to deal with PDFs, Images and Databasing etc. Javascript would be handy to learn in the future though.

[Alex123]

Perl - If you're interested in learning about a more mature language than PHP, which is also used by many web sites. Also very useful for more back end server and data mugging tasks.

Python - Used a lot by some of the 'heavy hitters' such as Google. Many consider it to be 'cleaner' than PHP or Perl and its heavy object oriented approach seems to favor larger app development.

C/C++ - You may or may not use this as much on web dev projects but it comes in
Handy sometimes and looks great on your resume. Also, some people won't consider you a serious programmer unless you know some C. I think there's some truth to that - C will teach you good programming etiquette and after all it’s the basic of PHP and many other languages (including Perl and Python)

infysolutions.com

[freelancr]

Quote:

Originally Posted by Alex123

Perl, Python, C/C++

I wouldn't use any of these for web development, they are all much slower than PHP.

[Hunch]

You're kidding right?

C and C++ are both overwhelmingly faster than PHP Frequently depending on what you're doing you can see performance increases of 100 times or more. They're generally recognized as the fastest mainstream languages (unless you count assembler). Even Python often beats PHP into the ground.

PHP is a great webdev language, but speed is absolutely not its forte.

[freelancr]

Quote:

Originally Posted by Hunch

C and C++ are both overwhelmingly faster than PHP

Who uses it for web development though? Is a website powered by C (using CGI? does it work with fast-cgi?) faster than PHP (using Fast-CGI or mod_php)?

Quote:

Originally Posted by Hunch

Even Python often beats PHP into the ground.

Every .py webpage I have come across has been really fucking slow to load or interact with.

[Cborrow]

Yes C/C++ can be used with Fast-CGI and you can get a speed increases as-well. It's especially true when doing very database intensive applications.

Although that is only when using a "well-written" C/C++ program.

FastCGI -- The Forgotten Treasure

[Hunch]

Quote:

Originally Posted by freelancr

Who uses it for web development though?

That's not really my point. I was simply stating that it's generally considered faster - a lot faster. I'm not commenting on whether it's used more. C++ (and C to an extent) are both significantly harder languages to learn, and especially to learn well. PHP is generally the language of choice for most developers because it's "fast enough" and a child could learn it.

Quote:

Is a website powered by C (using CGI? does it work with fast-cgi?) faster than PHP (using Fast-CGI or mod_php)?

Here's a fairly detailed comparison by a company that makes search software.

WrenSoft - Zoom Search Engine - Benchmarking PHP vs ASP vs Javascript vs CGI

It's obviously important to point out that this is just one comparison, however you will see largely similar, or sometimes even more conclusive results if you trawl the web for other data sets.