Handling Exceptions...
-
They are just asking for SQL Injection attacks I guess? My guess is that someone forgot to set a development flag to false.
Validations like 'Required Field' should be done at browser itself and if not there should be some kind of validation before sending data to DB...
Keep DotNetting!! GeekFromIndia
-
I was surfing on SourceMaking WebSiteCommand Pattern[^] and thought to post a reply to one of their video... I didnt put entered req email field and submitted... Here is the response :laugh: ... warning: Invalid argument supplied for foreach() in /home/httpd/vhosts/quotes.com/httpdocs/mega/modules/node/node.module on line 521. warning: implode() [function.implode]: Invalid arguments passed in /home/httpd/vhosts/quotes.com/httpdocs/mega/modules/node/node.module on line 525. user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 query: SELECT n.nid, n.vid, n.type, n.status, n.created, n.changed, n.comment, n.promote, n.sticky, r.timestamp AS revision_timestamp, r.title, r.body, r.teaser, r.log, r.format, u.uid, u.name, u.picture, u.data FROM node n INNER JOIN users u ON u.uid = n.uid INNER JOIN node_revisions r ON r.vid = n.vid WHERE in /home/httpd/vhosts/quotes.com/httpdocs/mega/includes/database.mysql.inc on line 172. E-mail field is required. Invalid CAPTCHA token. The answer you entered for the CAPTCHA was not correct.
Keep DotNetting!! GeekFromIndia
I don't see the problem. I think it is great. Every error message should be so detailed and specific. It let's you know exactly what went wrong. I think this should be a WWW standard. And while we are at it, let's replace all those ambiguous 'dings' that Windows plays when you hit an invalid or inactive button with full-screen error dialogues. Just imagine if this sort of detail came up every time someone entered his/her PIN incorrectly at an ATM or POS: I bet they'd be much more careful about hitting the right keys the next time (especially if the POS device made you scroll through the error message line-by-line - and if you didn't, it would issue another error message!). Verbosity! That's the way to make all those lazy sods pay more attention to what they are doing!
Clive Pottinger Victoria, BC
-
Validations like 'Required Field' should be done at browser itself and if not there should be some kind of validation before sending data to DB...
Keep DotNetting!! GeekFromIndia
geekfromindia wrote:
Validations like 'Required Field' should be done at browser itself
I agree and it amazes me that occasionally people ask how to validate from the database side :eek:
"I guess it's what separates the professionals from the drag and drop, girly wirly, namby pamby, wishy washy, can't code for crap types." - Pete O'Hanlon
-
geekfromindia wrote:
Validations like 'Required Field' should be done at browser itself
I agree and it amazes me that occasionally people ask how to validate from the database side :eek:
"I guess it's what separates the professionals from the drag and drop, girly wirly, namby pamby, wishy washy, can't code for crap types." - Pete O'Hanlon
Uh, while validating in the browser is nice, don't you need to validate on the server if you want to avoid an attack? What is to stop someone from writing a script to send whatever they want to your server, or turning off JavaScript? I could see the browser validation doing something helpful like highlighting the bad field, while the server validation returns something a bit less friendly, like the name of a real web browser.
-
Uh, while validating in the browser is nice, don't you need to validate on the server if you want to avoid an attack? What is to stop someone from writing a script to send whatever they want to your server, or turning off JavaScript? I could see the browser validation doing something helpful like highlighting the bad field, while the server validation returns something a bit less friendly, like the name of a real web browser.
Andrew P Holden wrote:
don't you need to validate on the server if you want to avoid an attack?
Yes, to prevent injection attacks.
Andrew P Holden wrote:
What is to stop someone from writing a script to send whatever they want to your server
Good point. Validation should be done on both ends.
"I guess it's what separates the professionals from the drag and drop, girly wirly, namby pamby, wishy washy, can't code for crap types." - Pete O'Hanlon
-
Andrew P Holden wrote:
don't you need to validate on the server if you want to avoid an attack?
Yes, to prevent injection attacks.
Andrew P Holden wrote:
What is to stop someone from writing a script to send whatever they want to your server
Good point. Validation should be done on both ends.
"I guess it's what separates the professionals from the drag and drop, girly wirly, namby pamby, wishy washy, can't code for crap types." - Pete O'Hanlon
Almost there. Try verifying at the client - the input is of the right type - and then validating at the server. Validation is a business function ad so belongs away from the user interface.
Panic, Chaos, Destruction. My work here is done.
-
Almost there. Try verifying at the client - the input is of the right type - and then validating at the server. Validation is a business function ad so belongs away from the user interface.
Panic, Chaos, Destruction. My work here is done.
williamnw wrote:
Validation is a business function
Yes.
"I guess it's what separates the professionals from the drag and drop, girly wirly, namby pamby, wishy washy, can't code for crap types." - Pete O'Hanlon
-
Andrew P Holden wrote:
don't you need to validate on the server if you want to avoid an attack?
Yes, to prevent injection attacks.
Andrew P Holden wrote:
What is to stop someone from writing a script to send whatever they want to your server
Good point. Validation should be done on both ends.
"I guess it's what separates the professionals from the drag and drop, girly wirly, namby pamby, wishy washy, can't code for crap types." - Pete O'Hanlon
Actually, this is great example why you need to place "php_value error_reporting 0" onto your production sites even if you completelly sure that your last code is right :) By the way, if you interested, this site is build on Drupal CMS. (those ugly errors were by my fault, Drupal is not guilty :)
-
Actually, this is great example why you need to place "php_value error_reporting 0" onto your production sites even if you completelly sure that your last code is right :) By the way, if you interested, this site is build on Drupal CMS. (those ugly errors were by my fault, Drupal is not guilty :)
I would think so :rolleyes:
"I guess it's what separates the professionals from the drag and drop, girly wirly, namby pamby, wishy washy, can't code for crap types." - Pete O'Hanlon
-
Actually, this is great example why you need to place "php_value error_reporting 0" onto your production sites even if you completelly sure that your last code is right :) By the way, if you interested, this site is build on Drupal CMS. (those ugly errors were by my fault, Drupal is not guilty :)
neochief wrote:
Drupal is not guilty
Is that like saying Rupaul is not guilty? -- LOL
Silence is the voice of complicity. Strange women lying in ponds distributing swords is no basis for a system of government. -- monty python Might I suggest that the universe was always the size of the cosmos. It is just that at one point the cosmos was the size of a marble. -- Colin Angus Mackay
-
Validations like 'Required Field' should be done at browser itself and if not there should be some kind of validation before sending data to DB...
Keep DotNetting!! GeekFromIndia
It should be done both browser side and server side... Browser to reduce load in the server, and server to prevent security and otherwise issues.