Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Re: Use placeholders. For SECURITY!

by dws (Chancellor)
on Nov 14, 2003 at 06:51 UTC ( #307010=note: print w/replies, xml ) Need Help??

in reply to Use placeholders. For SECURITY!

So, what can a developer do about this?

  1. Simulate injection attacks in your unit tests.

A really simple way to do this is to use names like "O'Reilly" in your unit test data. If you're doing test-driven development, this is a very inexpensive strategy for avoiding a lot of trouble.

Replies are listed 'Best First'.
Re: Re: Use placeholders. For SECURITY!
by jdtoronto (Prior) on Nov 14, 2003 at 15:00 UTC
    And I can tell you of a number of large systems which are web based that have a problem with that! In one case I know of you put an apostrophe in an email address and the Carp output will then give you a clue to the 'backdoor' super-user type access into the system without having to authenticate.

    All for the sake of the most simple untainting. Whether it is a valid email address or not - an apostrophe is not permitted in an email address! Fortunately the data on the system is not extremely valuable. It is an email autoresponder system which handles a lot of marketting email. But then again I did wonder how an address of mine that was in somebody's newsletter list suddenly started getting spam. I suspect the spammers have been in through the back door and downloaded all the lists out of the system.


      an apostrophe is not permitted in an email address!
      It is: "'" is valid syntax.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://307010]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (6)
As of 2018-05-23 05:30 GMT
Find Nodes?
    Voting Booth?