On 6.3.2013 9.57, Steve Piercy - Web Site Builder wrote:> If you really
want to make web applications secure, you should start by
> reading this.
> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

The following is from
https://www.owasp.org/index.php/A1_2004_Unvalidated_Input

> Parameters should be validated against a =93positive=94 specification
that defines:
>
> Data type (string, integer, real, etc=85)
> Allowed character set
> Minimum and maximum length
> Whether null is allowed
> Whether the parameter is required or not
> Whether duplicates are allowed
> Numeric range
> Specific legal values (enumeration)
> Specific patterns (regular expressions)

I would be interested to hear about standard practices on Lasso, even on
code level.

Example: process in put to field labeled "First Name".

How safe am I (in terms of malicious attacks), if I do simply:

var('firstname') = action_param('firstname');
inline(-add,$myDbConfig,-table=blabla,'firstname'=$firstname);
/inline;

- Jussi
#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>