Re: Re: Re: removing carriage returns in text area (cgi)

That's auite a bit of a leap you make there.

someone stuffing some quotes and a semicolon and then a perl command

which is irrelevant if no unsafe operations (eval, system calls, via open or otherwise) are carried out, like in the original question.

Comment on Re: Re: Re: removing carriage returns in text area (cgi)

Replies are listed 'Best First'.
Re: Re: Re: Re: removing carriage returns in text area (cgi) by aquarium (Curate) on Jul 17, 2003 at 23:13 UTC
Yes, it's a leap alright...we only have a little snippet of code from the script. does the code perform SQL or system calls, who knows. This sub-thread of the main idea is still relevant: it guards against code injection. And the main idea (reject bad input alltogether) is better than a fix the input approach. People that input quotes and other funny characters into input boxes (cgi) are generally up to no good anyway. When was the last time you entered quotes in a cgi form? With the "fix the input" approach, the shortcoming of the program will be found sooner rather than later...and if it's not code injection that happens, than at least it will possibly break the code. Therefore "reject all but GOOD input" should be an idiom that coders (coders != software designers) might like to learn. I'm not getting on a pedestal either...but I would like to impart the few good rules I have learnt. It's not all just about the code or to see how far you can get with a regex.	[reply]

Replies are listed 'Best First'.

Re: Re: Re: Re: removing carriage returns in text area (cgi)
by aquarium (Curate) on Jul 17, 2003 at 23:13 UTC

Yes, it's a leap alright...we only have a little snippet of code from the script. does the code perform SQL or system calls, who knows. This sub-thread of the main idea is still relevant: it guards against code injection. And the main idea (reject bad input alltogether) is better than a fix the input approach. People that input quotes and other funny characters into input boxes (cgi) are generally up to no good anyway. When was the last time you entered quotes in a cgi form? With the "fix the input" approach, the shortcoming of the program will be found sooner rather than later...and if it's not code injection that happens, than at least it will possibly break the code. Therefore "reject all but GOOD input" should be an idiom that coders (coders != software designers) might like to learn. I'm not getting on a pedestal either...but I would like to impart the few good rules I have learnt. It's not all just about the code or to see how far you can get with a regex.

[reply]