Robert Cummings wrote:
On Sat, 2006-09-09 at 11:30 -0400, Mark Charette wrote:
Stut wrote:
Mark Charette wrote:
However, looking at it from a 'knowing early the data is tainted'
perspective, not from a 'validating and cleaning perspective', if you
have coded that (for instance) a variable is set via COOKIE, then
only looking for that variable set via COOKIE will eliminate its
being tainted by being set via GET or REQUEST. It doesn't eliminate
any need for validation or cleaning, but reduces (naive) attempts to
set via incorrect means. That is not possible via REQUEST.
Personally, I like to toss out possibilities of bad data via simple
means as early in the chain as possible.
If I understood that right it's a shocking naive statement for any
developer to make. While I agree with what you're saying, you're
implying a bad attitude to handling data from untrusted sources.
I am being neither shocking or naive. Why is early discarding of data
because it comes in the wrong area shocking?
That's your last line, I think he's commenting on the rest of your
comment. Questionable data is questionable data, it doesn't matter from
whence you clean it. If you haven't cleaned it your still going to get
screwed no matter how much you rely on it being difficult to manipulate
by a site visitor.
Where am I being unclear, then? "reduces (naive) attempts to set via
incorrect means." doesn't say 'eliminate serious attempts'. I would
think my statement "It doesn't eliminate any need for validation or
cleaning, " covers the remaining scenarios. Indeed, determining the
source of data is one of the essential steps in validation. The one of
the rules is 'discard even valid data if it comes from an untrusted
source" - and data coming from an _incorrect_ source is, by definition,
untrusted even if if you wish to expend the effort to prove it valid.
And I'll wager a brew no one here has ever done a formal, mathematically
rigorous proof of a validation routine except as a class project. As a
senior member of the software QC department in a major industrial
company, I generally find more errors and omissions in validation
routines during code reviews and ethical hacks than anywhere else.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
