Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

user input question

On 4/3/07, Eric C <eric at> wrote:
> It will kick 'em out before anything else gets done.
> What do you think?

The rule of thumb in securing user input is *NOT* to blacklist what
you think is invalid, but to whitelist only that which is acceptable
input.  If it is a hash of [a-z0-9] only, then make a whitelist on
this grammar.  You see, the world of inputs is possibly infinite, and
you don't want to have cases pertaining to all of them.  Also, I
wouldn't even give an attacker a helpful message like you do in your
patch.  I would give a more generic error like "Something went
wrong..." and use that for every error you encounter!
Kristian Hermansen

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /