Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery

Re: Know what you are doing For SECURITY!

by tilly (Archbishop)
on Nov 14, 2003 at 05:04 UTC ( #307003=note: print w/replies, xml ) Need Help??

in reply to Know what you are doing For SECURITY!
in thread Use placeholders. For SECURITY!

My point of view is that you teach people to care incrementally. If I tried to tell people everything that they should be doing to fix their code all at once, they would be overwhelmed and I would be exhausted. If I accomplish nothing more than to make people aware that there is something important to learn, then I have accomplished something which is quite important.

Yes, the person who does not think about using placeholders is probably doing other things wrong. Yes, many of those other things are likely to be exploitable. But I disagree that SQL injection is the least of your worries. Because from the point of view of an attacker, SQL injection is very attractive. Lots of sites are vulnerable to it, you are likely to get at very valuable data pretty directly with it, traditional security measures (eg firewalls) don't protect against or log it, and you don't need to be extremely knowledgable to make it work. Using standard cracking tools that go after known bugs in commonly used software is easier still, but relatively few programmers write code that gets distributed enough to be the target of such tools.

As for using quote instead of placeholders, it depends. Yes, some databases (eg MySQL) have drivers that just use quote under the hood. Others (eg Oracle) do not, and in those you often will find that being able to use placeholders is a big performance win. (I've seen top Oracle DBAs claim that avoiding placeholders is the single easiest way to get Oracle to not scale.) Sure, there are bugs in certain drivers. Over time the bugs get found and fixed. But if you roll your own, odds are that you will make the common mistakes and will have more security holes than if you didn't. (Exceptions exist. You aren't named Dan Bernstein, are you? OK, then that doesn't apply to you...)

And finally, I hoped that my entire meditation would explain one reason to use placeholders, and make it clear that there is a lot more to secure code than just, "use placeholders".

  • Comment on Re: Know what you are doing For SECURITY!

Replies are listed 'Best First'.
Re: Re: Know what you are doing For SECURITY!
by Abigail-II (Bishop) on Nov 14, 2003 at 15:44 UTC
    My point of view is that you teach people to care incrementally.
    As long as that doesn't mean that people should write secure code incrementally. One you put code that needs to be secure into production (or even in development or testing depending on the environment), it better be fully secure. It doesn't make sense to say "well, today I've used placeholders, next week I'll look into that -T thingy". Because you might be compromised before it's next week.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://307003]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (4)
As of 2018-06-19 01:56 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (111 votes). Check out past polls.