Re^3: Reading from txt makes variables literal?

You are also assuming you have no idea what's in the file. If you know what the file will contain each and every time, there's no more security risk than anything else you can do.

Comment on Re^3: Reading from txt makes variables literal?

Replies are listed 'Best First'.
Re^4: Reading from txt makes variables literal? by spiritway (Vicar) on Mar 03, 2006 at 09:42 UTC
It's not so much assuming you've got no idea what's in the file, as it is, NOT assuming that you will always know what's in it. With regard to security, the assumption is always that a file or other input could contain malicious data. There's no way to be certain of what the file contains, so you code defensively. Human error, malice, even a problem with the file system, could conceivably cause the input file to contain strings that would be devastating if executed. Check out an amusing take on this issue Can't Happen or /NOTREACHED/ or Real Programs Dump Core. It's somewhat dated, but still has many good points. Plus, it's fun.	[reply]

Replies are listed 'Best First'.

Re^4: Reading from txt makes variables literal?
by spiritway (Vicar) on Mar 03, 2006 at 09:42 UTC

It's not so much assuming you've got no idea what's in the file, as it is, *NOT* assuming that you will always know what's in it. With regard to security, the assumption is always that a file or other input could contain malicious data. There's no way to be certain of what the file contains, so you code defensively. Human error, malice, even a problem with the file system, could conceivably cause the input file to contain strings that would be devastating if executed. Check out an amusing take on this issue Can't Happen or /*NOTREACHED*/ or Real Programs Dump Core. It's somewhat dated, but still has many good points. Plus, it's fun.

[reply]