Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

user input question



On 4/3/07, Eric C <eric at newmag.org> wrote:
> It will kick 'em out before anything else gets done.
> What do you think?

The rule of thumb in securing user input is *NOT* to blacklist what
you think is invalid, but to whitelist only that which is acceptable
input.  If it is a hash of [a-z0-9] only, then make a whitelist on
this grammar.  You see, the world of inputs is possibly infinite, and
you don't want to have cases pertaining to all of them.  Also, I
wouldn't even give an attacker a helpful message like you do in your
patch.  I would give a more generic error like "Something went
wrong..." and use that for every error you encounter!
-- 
Kristian Hermansen

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org