NYCPHP Meetup

[csnyder]

On 9/15/06, Anirudh Zala <arzala at gmail.com> wrote:
> 1) The biggest area of this problem is browser. Not because that it is
> being exploited in many ways but why can't browser itself provide basic
> level of validation and input filtering like validations of name, email
> address, phone, fax, mobile etc. according to country or region. This is
> not big task or too much difficult for browser's and it's extension's
> developers. If we have characters set encoding, to display text in various
> languages, available in browser then why can't we have support of
> validation of above items. Now it is not that big that which validation
> format is to be used for each country or region. We can tell browser from
> our HTML in similar way about which character set encoding to be used.

I see where this appears to make a developer's job easier, but it
doesn't do _anything_ to make web applications more secure, and could
have a negative impact on security as beginning devs will assume that
"the browser is checking all that, so I don't have to".

The problem isn't average humans using browsers. The problem is
crackers using their own tools and scripts, especially automated
scripts, to attack your sites directly. Forget about the client and
focus your efforts on protecting the server from _anything_ that could
concievably be thrown at it.

> For example while mentioning email address at public
> place, user can write it in such a way that it can not be figured out from
> sources of data. By this way 70% of spamming can be stopped because
> spammer programs can not figure that out.

Wanna bet? The spammers are just as smart as you are, and probably
have more time to think about the problem than you do. As long as
you're the only person doing this, it will work, but as soon as
obfuscation reaches a critical mass, the screen-scrapers will get a
lot smarter overnight.

----
Chris Snyder
http://chxo.com/