| From: | Tom Allison <tallison(at)tacocat(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Sql injection attacks |
| Date: | 2004-07-27 05:51:27 |
| Message-ID: | 4105ED5F.6020103@tacocat.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Jim Seymour wrote:
> Bill Moran <wmoran(at)potentialtech(dot)com> wrote:
>
> [snip]
>
> I agree with Bill. Years ago (more years than I care to recall) I read
> a book on structured systems design (IIRC) that advised one should
> condition/convert data as early as possible in the process, throughout
> the design. Amongst the advantages cited for this tactic was that then
> you would know, everywhere else in the system, that you were dealing
> only with conditioned data. That practice, taken to heart relatively
> early in my career, has always stood me in good stead. Thus I
> recommend to others the same approach.
>
> In short: Any data coming from an untrusted source should always be
> de-fanged as early as possible.
>
Sounds like reading up on perl's Taint feature would be beneficial here
as well. They have the similar attitude that if it hasn't been
specifically de-loused, then it probably has lice.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Allison | 2004-07-27 05:58:54 | Re: Sql injection attacks |
| Previous Message | Scrappy | 2004-07-27 04:06:12 | Re: Incoming Message |