Password section and validation.

spookztar

Hi,

I just have a quick general question regarding input validation policy.

How necessary/recommended Is it to do input validation in a private, password protected area of a site? I mean, if the site is already compromised, what's the point?

Bye,

laserlight

It may just be that a user account has been compromised.

spookztar

Yes, exactly,

but if that has already happened what's the point of keeping up the checking on the non-public side to prevent the site from being compromised? It seems backwards to try to prevent something that has already occurred.

laserlight

but if that has already happened what's the point of keeping up the checking on the non-public side to prevent the site from being compromised?

To prevent SQL injection that might cause further damage to your database. Of course, if the user is exceptionally powerful, then the commands issued from the legitimate interface may be very damaging anyway, in which case damage limitation is pointless.