Re: Abusing poor programming techniques in webserver scripts V 1.0

From: Roger Burton West (roger@firedrake.org)
Date: 07/27/01 

Date: Fri, 27 Jul 2001 20:01:16 +0100
From: Roger Burton West <roger@firedrake.org>
To: secprog@securityfocus.com
Subject: Re: Abusing poor programming techniques in webserver scripts V 1.0
Message-ID: <20010727200116.A522@firedrake.org>

On Thu, Jul 26, 2001 at 12:42:47PM -0600, memonix@roses-labs.com wrote:
>
> Roses Labs
> Advanced Security Research
> http://www.roses-labs.com
>
>
> Title :
>
> Abusing poor programming techniques in webserver scripts V 1.0

You miss a vital and fundamental point. You are blacklisting characters,
but the appropriate technique is to whitelist characters; and there
already exists a perfectly adequate technique for doing this.

In perl, the language of the example you give, there exists the DBI
quote function. In other languages, there are similar functions. And
almost any database driver can use bound parameters rather than in-line
parameters anyway, which in many cases will be rather more efficient.

The tools are already there. Using them makes life easier in general
as well as solving security problems. The fact that many people do not
use them does not alter the fact that they are the best way to guard
against exactly this class of problem.

Roger