Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re: (zdog) Re: •Web Security

by Ovid (Cardinal)
on Jun 22, 2002 at 18:44 UTC ( #176507=note: print w/ replies, xml ) Need Help??


in reply to (zdog) Re: Web Security
in thread Web Security

zdog: I have to disagree with your assessment on this one. Different people have different styles of communication and learning and merlyn's style is simply one of many. In this case, his title was "Web Security" and here's what I consider to be the truly relevant paragraph:

In other words, not only was unchecked data from a form field (presumably from a pop-up menu or radio button) being used directly in an eval, but quite helpfully, the syntax errors were being sent back to the browser to help you refine your breakin! (And I looked hard for some sort of screening or vetting of the $p_type value, and there was none.)

In short, merlyn presented some poor Perl code and explained to us exactly why it's a problem. That seems, in my mind, to be a reasonable meditation. Of course, he didn't go step by step through various ways we might exploit this, but there's a certain level of minimum knowledge assumed on the part of the reader. Myself, I like to assume little on the part of the reader so I tend to explain things more in depth (like now), whereas merlyn appears to assume a more knowledgeable audience. Thus, he is often accused of being arrogant or rude and I'm accused of pandering. No matter how one approaches things, some people will be put off :)

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.


Comment on Re: (zdog) Re: •Web Security
Re(3): Web Security
by cjf (Parson) on Jun 22, 2002 at 21:15 UTC

    merlyn says:

    Is there really that lack of clues out there? I don't know whether to be more scared or saddened.

    Ovid says:

    there's a certain level of minimum knowledge assumed on the part of the reader.

    Anyone see where I'm going with this?

    The people merlyn is criticizing for bad security practices aren't going to be helped much by this post. These posts always remind me of the "Perl is Good, Praise Perl" posts that come up on this site. They're preaching to the converted. If you want to help solve the problem, you're going to have to explain things in terms those who you're criticizing can understand.

    That said, merlyn's post is not without some value and I don't feel it calls for a downvote, I might even upvote it if he took that dot out of the title ;-).

      One might say that a true monk's meditations will always constitute preaching to the converted. Preaching to the heathens is done in SoPW. Sometimes we must simply say what is true without worrying about whether it will save the sinners.

      -sam

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://176507]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (13)
As of 2014-09-17 19:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (97 votes), past polls