From: | Tom Allison <tallison(at)tacocat(dot)net> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Sql injection attacks |
Date: | 2004-07-27 05:51:27 |
Message-ID: | 4105ED5F.6020103@tacocat.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Jim Seymour wrote:
> Bill Moran <wmoran(at)potentialtech(dot)com> wrote:
>
> [snip]
>
> I agree with Bill. Years ago (more years than I care to recall) I read
> a book on structured systems design (IIRC) that advised one should
> condition/convert data as early as possible in the process, throughout
> the design. Amongst the advantages cited for this tactic was that then
> you would know, everywhere else in the system, that you were dealing
> only with conditioned data. That practice, taken to heart relatively
> early in my career, has always stood me in good stead. Thus I
> recommend to others the same approach.
>
> In short: Any data coming from an untrusted source should always be
> de-fanged as early as possible.
>
Sounds like reading up on perl's Taint feature would be beneficial here
as well. They have the similar attitude that if it hasn't been
specifically de-loused, then it probably has lice.
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Allison | 2004-07-27 05:58:54 | Re: Sql injection attacks |
Previous Message | Scrappy | 2004-07-27 04:06:12 | Re: Incoming Message |