January 5th, 2008
Time and again, there are countless number of articles written on not to trust user input and do a server side validation of all input. There are quite a lot of libraries in all imaginable languagues that make server side validation very easy.
But time and again, every other site pops up that have only client side validation. One such site is http://www.cinetickets.in/. The site has a registration page. The first field required is called “user id” and we have to give our phone number. What crap!
With such crappy validation schemes, I’m pretty sure that there are no server side validations being done as well. They are just taking data from the client and pushing them into a database (most probably MySql) without sensitive data being encrypted (they accept credit card details etc.). Assuming I’m a hacker, the site can be brought down within a few minutes! Looks like the CineTickets website is programmed by a company called EvinceTech.com. Don’t ever outsource your website development there. It’s very easy to conclude that they are a shit load of programmers.
Anyways, I found an awesome PHP script some days ago that filters out dangerous tags from strings. The script is available here. I encourage everyone to use it, if you can’t/don’t-want-to write one on your own.