Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Use placeholders. For SECURITY!

by dws (Chancellor)
on Nov 14, 2003 at 06:51 UTC ( [id://307010]=note: print w/replies, xml ) Need Help??


in reply to Use placeholders. For SECURITY!

So, what can a developer do about this?

  1. Simulate injection attacks in your unit tests.

A really simple way to do this is to use names like "O'Reilly" in your unit test data. If you're doing test-driven development, this is a very inexpensive strategy for avoiding a lot of trouble.

Replies are listed 'Best First'.
Re: Re: Use placeholders. For SECURITY!
by jdtoronto (Prior) on Nov 14, 2003 at 15:00 UTC
    And I can tell you of a number of large systems which are web based that have a problem with that! In one case I know of you put an apostrophe in an email address and the Carp output will then give you a clue to the 'backdoor' super-user type access into the system without having to authenticate.

    All for the sake of the most simple untainting. Whether it is a valid email address or not - an apostrophe is not permitted in an email address! Fortunately the data on the system is not extremely valuable. It is an email autoresponder system which handles a lot of marketting email. But then again I did wonder how an address of mine that was in somebody's newsletter list suddenly started getting spam. I suspect the spammers have been in through the back door and downloaded all the lists out of the system.

    jdtoronto

[reply]
      an apostrophe is not permitted in an email address!
      It is: "'"@example.com is valid syntax.

      Abigail

[reply]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://307010]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (3)
As of 2024-04-19 19:54 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found