Hi Richard
Thanks for the reply. Please see my responses below:
On Mar 27, 2018, at 1:06 PM, Richard DeShong <richard@xxxxxxxxxxxxxx> wrote:
Hi Joel,
For best practice, use isset(), empty() and other tests to verify that you
are getting everything that you should get (from $_POST or $_GET, and
$_SESSION). And then return an appropriate error if not.
If their test is hitting your web server with a url using GET variables, and
your php is expecting POST variables, then your form ($_POST) variables would
be !isset(). This goes for $_SESSION var's that you are expecting to be set.
Verifying "what you got" should happen before any other processing.
Certainly before you talk to the db.
On 3/27/2018 12:15 PM, beverlyvoth wrote:
Reassurance = good. I have clients that have IT that read every error/event
log. I still try to prevent.
Beverly
On Mar 27, 2018, at 1:52 PM, Joel Shapiro <info@xxxxxxxxx> wrote:_____________________________________________________________________
Thanks Richard
Yes, that was the first thing I told them.
Still, I wanted to see what's needed to pass the penetration testing
without getting those warnings, since this is the first I’d run into it.
(you know, best practices and whatnot ;-)
Thanks,
-Joel
FX.php Official Web Site -- http://fx.iviking.org/
FX.php Official Mailing List -- //www.freelists.org/list/fx.php_list
(Subscribe, unsubscribe, and more at the mailing list site!)
FX.php_List@xxxxxxxxxxxxxxxx
--
Richard DeShong
Logic Tools
510-642-5123 office
925-285-1088 cell
_____________________________________________________________________
FX.php Official Web Site -- http://fx.iviking.org/
FX.php Official Mailing List -- //www.freelists.org/list/fx.php_list
(Subscribe, unsubscribe, and more at the mailing list site!)
FX.php_List@xxxxxxxxxxxxxxxx