At 10:34 PM 07/13/2001 -0400, fliptop wrote:
>Curtis Poe wrote:
>>
>> There are other reasons, too. Just today, I was asked to break
>> a version of a Web site we were about to publically release.
>> It took me 5 minutes to find a security hole and demonstrate
>> that I could execute any arbitrary SQL against our database by
>> passing it through the URL (it's easier than one might think
>> for many sites). Fortunately, that stopped this code from
>> moving out, but the programmer who wrote the code explained
>> that hackers would first have to know the names of the tables
>> they were affecting and thus, things were secure.
>
>that sounds more like an excuse than an explanation.
Let there be one mantra that ALL programmers must repeat to themselves over
and over again until they go insane:
"Security through obscurity is NO security at all"
Aloha,
mel
--
mel matsuoka Hawaiian Image Productions
Chief Executive Alphageek (vox)1.808.531.5474
[EMAIL PROTECTED] (fax)1.808.526.4040
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
