I've been reading BUGTRAQ and RISKS for too many years now to treat what you say lightly. Your speech mimics those who didn't respect the responsibility of security enough, and who now have let credit card numbers leak, and other important documents.
And let's make this personal... it would be just my luck that you'd go on to write some e-commerce site that I ended up using, and except for the correction I'm trying to get you here, you wrote some leaky crap that revealed personal information about me to whomever wanted to come along.
So, I must continue until you've shown signs of "getting it". Both for humanity, and for me personally. I'm still troubled by many of these statements in your last post. You are not showing signs of "getting it".
I'm whipping it out so that 10 people who I know very well can use the code behind an SSL apache password protected website.What if there's a breakin, and now using your untainted code they get further with the breakin?
And here's the scary one for me... what if someone copies your code without understanding the operating limits, and ends up putting that on a site without this first level of protection. Code always lives longer than it should. Witness Matt Wright's stuff, or even my own ill-fated chat2.pl.
You may think it's no big deal. And as long as you think it's no big deal, I'm here to insist that it is.
-- Randal L. Schwartz, Perl hacker
In reply to On the importance of security
by merlyn
in thread CGI::param wrapper for untainting
by dcardamo
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |