js and php intertwine
Posted: Mon Jun 13, 2005 10:47 pm
I dont think this is the right spot for this but it is theory so here it goes
I been hearing some stuff and have seen a few pages talking about developers trying to get js and php to run more closely and i think this is a bad idea for security reasons. Imagine if js was developed to use and/or read php variables. That would mean any type of xss attack could read variables and output them to the attacker and the admin would not have much of a chance of noticing it. Also for big open source projects where all variables can easily be looked up by checking the souce this could be a huge problem for example an attacker could document.write($DbPassword) and have the mysql details of the site.
Also if developers used php variables in javascript and someone edited the html source there could be all sorts of manipulation problems/authentication bypasses and more problems of gaining passwords and usernames.
Has anyone else been hearing/seeing about these two languages merging more closely and/or thought of the security consequences of such an action.
I been hearing some stuff and have seen a few pages talking about developers trying to get js and php to run more closely and i think this is a bad idea for security reasons. Imagine if js was developed to use and/or read php variables. That would mean any type of xss attack could read variables and output them to the attacker and the admin would not have much of a chance of noticing it. Also for big open source projects where all variables can easily be looked up by checking the souce this could be a huge problem for example an attacker could document.write($DbPassword) and have the mysql details of the site.
Also if developers used php variables in javascript and someone edited the html source there could be all sorts of manipulation problems/authentication bypasses and more problems of gaining passwords and usernames.
Has anyone else been hearing/seeing about these two languages merging more closely and/or thought of the security consequences of such an action.