Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re: Hacker Proofing My First Script

by jwest (Friar)
on Oct 01, 2004 at 18:50 UTC ( #395700=note: print w/replies, xml ) Need Help??

in reply to Hacker Proofing My First Script

As an aside, the technique that you've used, scrubbing the data of harmful characters, is known as a negative security model. This means that you're allowing everything, except for the few things that you're explicitly denying.

This is, arguably, a sub-optimal model to follow from a security perspective. Over time as more creative ways of breaking applications are developed you may find that a character you didn't account for can be used against you. Similarly, not all of the harmful characters may be known in advance, given a different application.

Most in the security field would argue that a positive security model is a more practical approach. In a positive security model, you deny anything that is not explicitly allowed. Instead of saying that ? should be stripped, for example, you only allow the characters that you know to be legitimate through.

As others have pointed out, there are better approaches still to your problem.


-><- -><- -><- -><- -><-
All things are Perfect
    To every last Flaw
    And bound in accord
         With Eris's Law
 - HBT; The Book of Advice, 1:7

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://395700]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (6)
As of 2018-04-26 06:22 GMT
Find Nodes?
    Voting Booth?