Quote:
Originally Posted by sbhmf
I upload an xml stream as a string to the server, and without deserializing or executing the stream the server packs it into the db via stored procedure. Later, when the stream is requested, it is pulled from the db via stored procedure and sent to the client, again without deserializing or executing it. How could that possibly compromise the server or db?
|
strictly speaking, and depending upon how the input is passed to mysql, it won't, but that's not the issue here.
there are two common patterns you need to defend against: SQL injection, and XSS, both of which rely upon the server validation routine to prevent. Someone can disable client-side javascript and it's validation, or use something besides a browser to launch the attack.
SQL injections CAN damage your DB eg: "drop table customers". typically, it happens from using php templates to build SQL statements by naively moving POST fields into VALUES statements.
XSS on the other hand has no deleterious effect on the server itself; it's about stealing authentication cookies or driving traffic to another site by embedding malicious redirects. Even error pages are useful for this because they often echo back the submitted data. If you are using GET, that screen is linkable and most users will trust about any link coming from a site they know and love.
you can use <textarea>s and ajax to show non-html text without any risk of XSS.