in reply to security questions

It all depends on what you consider "secure" and "insecure". Does it need to be secure for your server? For the submitter? For the user reading the 'dynamic pages'? For the browser displaying it? For the machine running the browser?

if someone knew the code of my scripts you think he could find some hole?
This question has the same answer as the question "does my script have some hole".

Abigail

Replies are listed 'Best First'.
Re: Re: security questions
by noname00 (Novice) on May 21, 2004 at 13:47 UTC
    secure for everyone and everything...

    -------------
    if someone knew the code of my scripts you think he could find some hole?
    This question has the same answer as the question "does my script have some hole".
    -------------

    lets say that the only security bugs are the ones described above
[reply]
      Secure for everyone and everything can not be done in any system of a decent size. In practice, there is always a point where the cost of closing a potential hole will be so high that you'd be better off not implementing the feature.

      For instance: do you want to protect yourself against users putting up "illegal" content? (yes, there is such a thing, at least where I live)

      Other example: what about DOS attacks?

      It's a matter of risk vs usability vs cost of implementation. You really should read the OWASP guide if you want to know about more potential problemns.

      Joost

      "What should it profit a man, if he should win a flame war, yet lose his cool?"
[reply]

        Along with Joost's suggestion of reading OWASP guide, I would also recommend looking at the www-security faq, it's been an excellent reference for me.

        "Cogito cogito ergo cogito sum - I think that I think, therefore I think that I am." Ambrose Bierce

[reply]
      secure for everyone and everything...
      Nope. Just to name one thing, people could write huge articles, or include images that uncompressed take a large enough amount of memory that the displaying system runs out of memory.
      lets say that the only security bugs are the ones described above
      So, what does that mean for the answer of "does my script have some hole"? Figure that one out, and you have figured out the answer to "if someone knew the code of my scripts you think he could find some hole".

      Abigail

[reply]
        by saying "if someone knew the code of my scripts you think he could find some hole" i meant if someone knew my script's structure , would he be capable to expoit the problems i described above...

        so far, after your replies i think problem 2 is ok, but i have to add some check for problem 1.
[reply]
[d/l]

In Section Seekers of Perl Wisdom