Re: [klug] sql injection

[hard wyrd]

The antivir def files are just examples of 'blacklisting' something. I am not saying that whitelisting is the answer to all security problems that may arise. There are tasks that are better suited to use blacklisting, and other tasks suited to whitelisting. However, take a look at an enterprise computing environment. Admins that Ive come to know, also share the ache of users running rampantly installing restricted apps, using and smuggling devices to and from the environment. To control these activities (though it really sounds very strict), they'd whitelisted specific apps for specific users, whitelisted devices to specific user groups. Requirement to run a specific application will then have to be negotiated/requested. Sure it does feel like the network has become an authoritarian regime. But if these workstations run Windows, plus incoherent/irregular patching, the users will thank the admins later for lessening the headache of "unwanted/malicious code" wreaking havoc on the environment.

Running a corporate network is really quite different (in terms of regulations and policies).

On 11/6/06, Ron Michael Khu < [EMAIL PROTECTED]> wrote:

whitelist for anti-virus? so anything else outside sa whitelist is a
virus or unwanted or at least "unconfirmed" program?
kinda like microsoft's antispyware.. "our MS programs are good and safe
for u... while the little-known freeware apps are to
be marked and labeled as 'unsigned' or 'not verified to be safe'"
:D

what if naay pure-whitelist na OS ?
"allow installation only to apps considered 'GOOD' in 'OUR' list; for
other unverified apps, please contact and pay us a fat fee"


hard wyrd wrote:
> The Whitelist method has been the best kept secret when talking about
> security in any application.
>
> A lot of apps (anti-vir, etc...) uses blacklisting and this is
> somewhat ineffective specially towards problems that you haven't
> encountered yet. Explicitly and selectively allowing methods,
> functions, applications will prevent exploitation.
>
> On 11/4/06, *Raymond Olavides* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
>
>
>     On 11/3/06, *Matt Arnilo S. Baluyos* < [EMAIL PROTECTED]
>     <mailto:[EMAIL PROTECTED]>> wrote:
>
>         On 11/3/06, mungkey < [EMAIL PROTECTED]
>         <mailto:[EMAIL PROTECTED]>> wrote:
>         > Hehehe, oo murag inana gyud na toykhu. sa una gani naa pud
>         to  nga butangan
>         > lang nimo og backlsash zero sa end, then pwede nasab la maka
>         butang og new
>         > query like insert or update, if naay insert priv ang imong gi
>         injekan, sure
>         > na. pero usually kanang mga quote gyud ang maka tabla. I
>         believe naay filter
>         > or sanitizer ginagamit sila ni matt and ardie sa ilang mga
>         ajax apps. mas
>         > maka explain sila ani og gi una pud nila ... kana kung di
>         sila busy. hehehe.
>         > busy raba daw tong duha nako ka mga aydol sigi ... hehehe.
>
>         It's a framework na pwede makuha sa Internet. kses ang ngalan
>         and you
>         can get it at http://sourceforge.net/projects/kses
>         <http://sourceforge.net/projects/kses >
>
>         I think it's the one used by Wordpress. Amo lang dayon tong
>         gi-wrap sa
>         isa ka class para mubagay sa among API.
>
>
>     Yup! kses is the one used by wordpress. I prefer to use
>     phpinputfilter, the one used by Joomla!. btw, phpinputfilter now
>     has a PEAR package.
>
>     The difference with kses and phpinputfilter is in their filter
>     implementation, whitelist allowed tags/characters and blacklist
>     unwanted tags/characters respectively.
>
>     Best practices papers suggests that whitelisting should be the way
>     to go in filtering user input - which is what we are doing when do
>     a switch case statement. I prefer phpinputfilter as it is more
>     popular, and to my knowledge being constantly updated (the PEAR
>     package) and to my tests hasn't allowed me to inject
>     unwanted characters into the database.
>
>     Basta kung sqlinjection istoryahan, /never trust user input/.
>     Always validate and sanitize input. One just have to be
>     disciplined enough to pass all user input to a good
>     sanitizer/filter at every load of your script or at every receipt
>     of input from client.
>
>     ---
>
>     http://audienceone.blogspot.com
>
>     _________________________________________________
>     Kagay-Anon Linux Users' Group (KLUG) Mailing List
>     klug@lists.linux.org.ph <mailto:klug@lists.linux.org.ph >
>     (http://cdo.linux.org.ph)
>     Searchable Archives: http://archives.free.net.ph
>
>
>
>
> --
> "A dog that has no bite, barks loudest."
> Registered Linux User #400165
> Subscribed to:
> LARTC, Open-ITLUG, PRUG, KLUG, sybase.public.ase.linux
> ------------------------------------------------------------------------
>
> _________________________________________________
> Kagay-Anon Linux Users' Group (KLUG) Mailing List
> klug@lists.linux.org.ph ( http://cdo.linux.org.ph)
> Searchable Archives: http://archives.free.net.ph

_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
klug@lists.linux.org.ph (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph

--
"A dog that has no bite, barks loudest."
Registered Linux User #400165
Subscribed to:
LARTC, Open-ITLUG, PRUG, KLUG, sybase.public.ase.linux

_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
klug@lists.linux.org.ph (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph