Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: Hacker Proofing My First Script

by jwest (Friar)
on Oct 01, 2004 at 18:50 UTC ( #395700=note: print w/ replies, xml ) Need Help??


in reply to Hacker Proofing My First Script

As an aside, the technique that you've used, scrubbing the data of harmful characters, is known as a negative security model. This means that you're allowing everything, except for the few things that you're explicitly denying.

This is, arguably, a sub-optimal model to follow from a security perspective. Over time as more creative ways of breaking applications are developed you may find that a character you didn't account for can be used against you. Similarly, not all of the harmful characters may be known in advance, given a different application.

Most in the security field would argue that a positive security model is a more practical approach. In a positive security model, you deny anything that is not explicitly allowed. Instead of saying that ? should be stripped, for example, you only allow the characters that you know to be legitimate through.

As others have pointed out, there are better approaches still to your problem.

--jwest



-><- -><- -><- -><- -><-
All things are Perfect
    To every last Flaw
    And bound in accord
         With Eris's Law
 - HBT; The Book of Advice, 1:7


Comment on Re: Hacker Proofing My First Script

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://395700]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (7)
As of 2014-08-21 22:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (144 votes), past polls