Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight

Re: (zdog) Re: 標eb Security

by Ovid (Cardinal)
on Jun 22, 2002 at 18:44 UTC ( #176507=note: print w/replies, xml ) Need Help??

in reply to (zdog) Re: Web Security
in thread Web Security

zdog: I have to disagree with your assessment on this one. Different people have different styles of communication and learning and merlyn's style is simply one of many. In this case, his title was "Web Security" and here's what I consider to be the truly relevant paragraph:

In other words, not only was unchecked data from a form field (presumably from a pop-up menu or radio button) being used directly in an eval, but quite helpfully, the syntax errors were being sent back to the browser to help you refine your breakin! (And I looked hard for some sort of screening or vetting of the $p_type value, and there was none.)

In short, merlyn presented some poor Perl code and explained to us exactly why it's a problem. That seems, in my mind, to be a reasonable meditation. Of course, he didn't go step by step through various ways we might exploit this, but there's a certain level of minimum knowledge assumed on the part of the reader. Myself, I like to assume little on the part of the reader so I tend to explain things more in depth (like now), whereas merlyn appears to assume a more knowledgeable audience. Thus, he is often accused of being arrogant or rude and I'm accused of pandering. No matter how one approaches things, some people will be put off :)


Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Replies are listed 'Best First'.
Re(3): Web Security
by cjf (Parson) on Jun 22, 2002 at 21:15 UTC

    merlyn says:

    Is there really that lack of clues out there? I don't know whether to be more scared or saddened.

    Ovid says:

    there's a certain level of minimum knowledge assumed on the part of the reader.

    Anyone see where I'm going with this?

    The people merlyn is criticizing for bad security practices aren't going to be helped much by this post. These posts always remind me of the "Perl is Good, Praise Perl" posts that come up on this site. They're preaching to the converted. If you want to help solve the problem, you're going to have to explain things in terms those who you're criticizing can understand.

    That said, merlyn's post is not without some value and I don't feel it calls for a downvote, I might even upvote it if he took that dot out of the title ;-).

      One might say that a true monk's meditations will always constitute preaching to the converted. Preaching to the heathens is done in SoPW. Sometimes we must simply say what is true without worrying about whether it will save the sinners.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://176507]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (10)
As of 2018-03-21 15:25 GMT
Find Nodes?
    Voting Booth?
    When I think of a mole I think of:

    Results (268 votes). Check out past polls.