Reply to thread

Message

<blockquote data-quote="joz" data-source="post: 401951" data-attributes="member: 70244">Sorry but I'm not going with you, which in my opinion is just plane paranoia.I'm a webdev, and yes I know about injection (you forgot to mention javascript injection <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite2" alt=";)" title="Wink&nbsp; &nbsp; ;)" loading="lazy" data-shortname=";)" />), so what's the big deal here? Just escape user input. Just another one of those tricks.I still haven't had any concrete example of what can go wrong in this particular situation. Please do not see this as some sort of personal attack. I'd just want to nail this on the head before proceeding any further.I truly believe Pilehave's statement. As long as the server software you're running does not have any known and serious security issues there's not that much that can totally go wrong and even have hackers infiltrating further then the server. Especially that last bit is kinda impossible from my point of view. Yeah sure most things are possible, it's just very unlikely.If the softwre does have issues it's most likely to be restricted to within the programs domain. For example Apache is not allowed to delete any system files/folders. That's not handled by apache like this, just how Windows works.I know I'm not immune, and as you said yes, nobody's immune. Again you should however consider the likeliness of a security failure and the importance of the data stored on the machine.The likeliness is I guess above average with this portal however the data bit pulls it down again (from my perspective). So yes security is important, also for this webapp, however to me, no deal breaker.</blockquote>

[QUOTE="joz, post: 401951, member: 70244"] Sorry but I'm not going with you, which in my opinion is just plane paranoia. I'm a webdev, and yes I know about injection (you forgot to mention javascript injection ;)), so what's the big deal here? Just escape user input. Just another one of those tricks. I still haven't had any concrete example of what can go wrong in this particular situation. Please do not see this as some sort of personal attack. I'd just want to nail this on the head before proceeding any further. I truly believe Pilehave's statement. As long as the server software you're running does not have any known and serious security issues there's not that much that can totally go wrong and even have hackers infiltrating further then the server. Especially that last bit is kinda impossible from my point of view. Yeah sure most things are possible, it's just very unlikely. If the softwre does have issues it's most likely to be restricted to within the programs domain. For example Apache is not allowed to delete any system files/folders. That's not handled by apache like this, just how Windows works. I know I'm not immune, and as you said yes, nobody's immune. Again you should however consider the likeliness of a security failure and the importance of the data stored on the machine. The likeliness is I guess above average with this portal however the data bit pulls it down again (from my perspective). So yes security is important, also for this webapp, however to me, no deal breaker. [/QUOTE]

Verification