Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re: Hacker Proofing My First Script

by jwest (Friar)
on Oct 01, 2004 at 18:50 UTC ( #395700=note: print w/ replies, xml ) Need Help??


in reply to Hacker Proofing My First Script

As an aside, the technique that you've used, scrubbing the data of harmful characters, is known as a negative security model. This means that you're allowing everything, except for the few things that you're explicitly denying.

This is, arguably, a sub-optimal model to follow from a security perspective. Over time as more creative ways of breaking applications are developed you may find that a character you didn't account for can be used against you. Similarly, not all of the harmful characters may be known in advance, given a different application.

Most in the security field would argue that a positive security model is a more practical approach. In a positive security model, you deny anything that is not explicitly allowed. Instead of saying that ? should be stripped, for example, you only allow the characters that you know to be legitimate through.

As others have pointed out, there are better approaches still to your problem.

--jwest



-><- -><- -><- -><- -><-
All things are Perfect
    To every last Flaw
    And bound in accord
         With Eris's Law
 - HBT; The Book of Advice, 1:7


Comment on Re: Hacker Proofing My First Script

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://395700]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (4)
As of 2015-07-04 23:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (60 votes), past polls