"Secure programmer: Keep an eye on inputs"
From: Mike Migurski (mike_at_saturn5.com)
Date: 12/30/03
- Next message: Php: "connecting to progress db"
- Previous message: Jay Blanchard: "RE: [PHP] A hint..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 30 Dec 2003 14:04:54 -0800 (PST) To: php-general@lists.php.net
This was posted to Slashdot not too long ago, and seems applicable to
php-general given the frequent mentions of register_globals and usage of
the get and post arrays. It's a detailed explanation of many common ways
that software which is overly trusting of its input can be exploited, and
underscores the point that input from the open internet is particularly
risky.
http://www-106.ibm.com/developerworks/linux/library/l-sp3.html
A lot of the article deals specifically with writing applications in a
Unix environment, but the general take-home points for PHP programmers
boil down to:
- In a client/server system, the server should never trust the client.
- Ruthlessly check untrusted inputs.
---------------------------------------------------------------------
michal migurski- contact info and pgp key:
sf/ca http://mike.teczno.com/contact.html
- Next message: Php: "connecting to progress db"
- Previous message: Jay Blanchard: "RE: [PHP] A hint..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
