Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
Heh. And the worst part is that the guy himself probably did not realize he was doing something wrong. I find it pretty strange that people can still miss those simple security measures, when just about every manual or tutorial for web programming mentions, in one way or the other, the security rule #1: "Do not trust what your visitors submit". Or for that matter trust your visitors at all. Even the most benevolent user might submit something harmful, and what about the malicious?

Personally, I try to make sure that nothing that is submitted goes unchecked, especially if it might be part of a SQL query, or has any chance of being displayed back in the browser.

That said, I once, about two-three years ago, saw a site that had SQL statements embedded in the HTML! More specifically, in VB-scripts on the pages. I have no real idea how that worked, or why it would be in the client-side VB code... it is altogether possible that it didn't work, but was just some strange copy/paste error. Then again, given the total integration and (at least earlier) lack of security compared to "features" in Microsofts systems... I know very little about VB/ASP etc, and at that time I knew nothing. :) That doesn't mean it wasn't the real queries (with logic around it), including table names, column names, and variables passed in etc, and that could have been disastrous for those guys. "Gee, I wonder if I can end this submit with a semi-colon and then..." - well, you know the drill. Sadly, I never remembered to save that URL. I'm pretty sure it didn't last long anyways, at least not in that form.

Good node, and hopefully food for thought that will help one or two sites out there be more secure. :)

You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.

In reply to Re: •web site design, or lack thereof by Dog and Pony
in thread web site design, or lack thereof by merlyn

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others surveying the Monastery: (6)
    As of 2020-10-21 08:32 GMT
    Find Nodes?
      Voting Booth?
      My favourite web site is:

      Results (212 votes). Check out past polls.