and lets you come up with your own designs. like the internet made everyone a publisher, this could make every one a manufacturer. write your own books and distribute online, design your own gun model and distribute online. watch out, the next **AA will be the NRAA.

this person owns their own business. he's not an advanced dev by any stretch of the imagination. he doesn't use version control, he's just starting to discover "frameworks" though i don't know if he really understands the concept yet. he taped together some php code that let him set a cookie marking himself as as admin, and a setting variable that allowed him to "debug" his code. this was essentially a form box at the bottom of the page that let him run arbitrary code at certain points -- all for the sake of not swapping back to his code editor, saving, swapping back to the browser, refreshing. the site that got attacked was so small i don't know how he was found. my guess is he posted for help on a bunch of forums and left links to his site. i thought it was funny that there was some pdo code in the site, because he'd outsourced to india for a couple months to handle his workload. i've known him for longer than i've known how to code and he has a pride issue with asking me for help in that area.

if you have a form input box that lets you update variable values with ajax like as if it were firebug, you can skip prepared statements. the overall point is that with enough ignorance and carelessness you can build an app that lets someone abuse every major vulnerability, while still thinking that you're secure, even using prepared statements for your own queries.

i'm not sure where everyone is getting xss from. i said cross-site request forgery, that's csrf. and yes, this person's app was (very poorly) written in php.

i referred to a csrf, not xss. although this poor dev's little hand drawn admin mode was also vulnerable to xss. it was a nightmare to look at.

i think it's jerk, jerk, jerk and maybe ...

both obama and romney gave that answer when asked "what the fuck are you doing here?"

marijuana resin can be used to make plastics stronger than steel. henry ford made a car body out of it and demonstrated it with a sledgehammer: http://www.youtube.com/watch?v=xRIvGxCLHGI

prepared statements work great for almost every sql injection attack, but they are not the silver bullet. the structure of your app could allow an xss attack to run a query that doesn't use them, for instance.

i've also seen some really nasty sql injection attacks using declare, cast and exec to traverse every db, every row, every column and replace every value with an html script tag referencing a foreign-hosted javascript file -- all stemming from a cross-site request forgery that allowed the attacker to run the app as an admin in "debug" mode. almost everything that went wrong with that problem was caused by application architecture.

the reality is most devs don't get to learn about these things until it happens to them. roll that in your eula and smoke it.

you mean PCI compliance. it's not a law, though some states have laws that borrow heavily from this standard.

http://www.pcicomplianceguide.org/security-tips-20090227-pci-compliance-law.php

FTFY

are you sure you're not confusing this story with this one? http://science.slashdot.org/story/12/08/15/0447228/widely-used-antibacterial-chemical-may-impair-muscle-function

AND, it's not called Vegas, it's LAS Vegas. take your medicine, mcgrew. take it. do it now.

what do you mean, you people?

pdfs are supposed to be rich formatted text documents that can embed images, nothing more. by allowing document creators to embed javascript, they open this medium up to many of the same, and some unique, attack vectors. here's just one example that made the news: http://www.zdnet.com/blog/security/adobe-confirms-pdf-zero-day-attacks-disable-javascript-now/5119. the same poisoned pdfs when rendered through a pdf reader without javascript execution capabilities are harmless. it doesn't really matter how the bad javascript code got there (just that it can be executed if it is there), but your info about livecycle-produced pdfs is interesting.

imho it got out of control when they added executable javascript.