user input question
Kristian Hermansen
kristian.hermansen at gmail.com
Tue Apr 3 15:33:05 EDT 2007
On 4/3/07, Eric C <eric at newmag.org> wrote:
> It will kick 'em out before anything else gets done.
> What do you think?
The rule of thumb in securing user input is *NOT* to blacklist what
you think is invalid, but to whitelist only that which is acceptable
input. If it is a hash of [a-z0-9] only, then make a whitelist on
this grammar. You see, the world of inputs is possibly infinite, and
you don't want to have cases pertaining to all of them. Also, I
wouldn't even give an attacker a helpful message like you do in your
patch. I would give a more generic error like "Something went
wrong..." and use that for every error you encounter!
--
Kristian Hermansen
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Discuss
mailing list