[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: recognising metacharacters as code ( Is ^ a dangerous metachar?)

From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Subject: [WEB SECURITY] Re: recognising metacharacters as code ( Is ^ a dangerous metachar?)
Date: Tue, 9 Jan 2007 09:44:51 -0500

On 1/9/07, Albert <caruabertu@xxxxxxxxx> wrote:

CODE vs data - artifical intelligence approach? rule based? - there are
newer methods - see USA naval laboratory for applied computer science -
artificial intelligence research etc...


It shouldn't be that complicated.  Code is what I write.  Data is what
comes from the user.  If at any point it is not completely and totally
obvious which is which, then that is a problem and must be fixed.

Some APIs encourage confusion between code and data.  For example,
some tutorials encourage people to build up SQL queries by gluing
strings together.  That is evil, because data from the user becomes
code in the query.  Parameterized SQL queries (aka prepared
statements) are good, because they keep a clear distinction between
code and data.

Regards,
Brian

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: Re: [WEB SECURITY] ACL for application
Next by Date: RE: [WEB SECURITY] ACL for application
Previous by thread: [WEB SECURITY] ACL for application
Next by thread: [WEB SECURITY] Administrative: List Questionnaire
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site