On Thu, Sep 2, 2010 at 7:23 PM, Les Hughes wrote:
[ ... ]
>
> Universities can always do more, but it is my believe that universities are
> academic institutions, not vocational ones (there is overlap.. but for
> simplicity...). you are trained in 'Computer Science'/etc, not in
> 'programming'.
T
silky wrote:
In fact, I explicitly remember there usually
being a statement on assignments saying that you can assume the input
will be valid.
Well, the lecturer/teacher should specifically be called out on this
as input validation is critically important, as you highlight. It may
not alwa
On Thu, Sep 2, 2010 at 3:20 PM, silky wrote:
[...]
> Even outside of direct "help" from Microsoft, I think any individual
> could discuss with OWASP or a similar organisation and come up with a
> way to contact Uni's and give a lecture on some industry-experienced
> approaches to actually develo
On Thu, Sep 2, 2010 at 2:21 PM, Sam Lai wrote:
> Martin, sounds like a sign that they're actually teaching their
> students about such attack techniques, which is bad on your end, but
> is probably a good thing given the comments here.
>
> Now that you mentioned uni, I have to say I don't recall e
ive it
> a go J
>
>
>
> Martin
>
>
>
> From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com]
> On Behalf Of Corneliu I. Tusnea
>
> Sent: Wednesday, 1 September 2010 9:47 PM
> To: ozDotNet
> Subject: Re: [OT] SQL injection attack vectors
>
>
On Thu, Sep 2, 2010 at 12:18 PM, Nathan Schultz wrote:
> Understood. That's the difference between URL Encoding and HTML Encoding.
URL Encoding may not fix it, because, as far as I just tested, you can
still escape out of the specific area of within a href='[here]' area.
And that's what always ne
Understood. That's the difference between URL Encoding and HTML Encoding.
My point was more in MVC, you have a HtmlHelper class with a bag of goodies.
ie:
Html.RouteLink() generates a safe URL link.
Html.TextBox() generates a safe text-box
Html.AntiForgeryToken() generates a token that protects a
On Thu, Sep 2, 2010 at 11:47 AM, Nathan Schultz wrote:
> I'm a little surprised by comments that most dev's wouldn't know what a SQL
> Injection attack was. Most developers I've worked with have a class with
> some kind with a function to sanitizing data against SQL Injection.
>
> These days you d
>
>
> *From:* ozdotnet-boun...@ozdotnet.com [mailto:
> ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Corneliu I. Tusnea
> *Sent:* Wednesday, 1 September 2010 9:47 PM
> *To:* ozDotNet
> *Subject:* Re: [OT] SQL injection attack vectors
>
>
>
> Sam,
>
>
>
t.com [mailto:ozdotnet-boun...@ozdotnet.com]
On Behalf Of Corneliu I. Tusnea
Sent: Wednesday, 1 September 2010 9:47 PM
To: ozDotNet
Subject: Re: [OT] SQL injection attack vectors
Sam,
I do a lot of work in this field and yes, developers without any knowledge
of what SQL Injection (or even XSS) i
Sam,
I do a lot of work in this field and yes, developers without
any knowledge of what SQL Injection (or even XSS) is are the main culprit.
Even with the current "tools" (.net, asp.net..) SQL Injection and XSS are
very common. I've seen loads of production apps with potential issues but,
as long
On 1 September 2010 15:06, Craig van Nieuwkerk wrote:
> >
> > I don't see how any legitimate programmer could claim to be unaware of
> > such an issue; it's a core concept about how programming works. They
> > may as well be confused that comments don't compile.
> >
>
> Of the hundred plus develo
On Wed, Sep 1, 2010 at 2:14 PM, David Connors wrote:
> On 1 September 2010 13:47, silky wrote:
>>
>> It's hard to blame the programmers totally for this, as it's almost
>> always a business issue that has lead to the poor implementation
>> (security not being a priority).
>
> I don't know that it
On 1 September 2010 15:06, Craig van Nieuwkerk wrote:
> Of the hundred plus developers I have worked with over the years, most
> would stare at you blankly if you mentioned sql injection. Just the
> other day I had to go to great lengths to explain it to some pretty
> experienced developers.
>
Y
On Wed, Sep 1, 2010 at 3:06 PM, Craig van Nieuwkerk wrote:
>> I don't see how any legitimate programmer could claim to be unaware of
>> such an issue; it's a core concept about how programming works. They
>> may as well be confused that comments don't compile.
>
> Of the hundred plus developers I
>
> I don't see how any legitimate programmer could claim to be unaware of
> such an issue; it's a core concept about how programming works. They
> may as well be confused that comments don't compile.
>
Of the hundred plus developers I have worked with over the years, most
would stare at you blank
On Wed, Sep 1, 2010 at 2:50 PM, Craig van Nieuwkerk wrote:
>> Developers should step up and take responsibility and pride in the quality
>> of the work they produce IMNSHO.
>
> IME, developers are not lazy but just totally unaware of issues
> related to building queries by concatenating strings. A
On Wed, Sep 1, 2010 at 2:44 PM, David Connors wrote:
> On 1 September 2010 13:47, silky wrote:
> >
> > It's hard to blame the programmers totally for this, as it's almost
> > always a business issue that has lead to the poor implementation
> > (security not being a priority).
>
> I don't know tha
> Developers should step up and take responsibility and pride in the quality
> of the work they produce IMNSHO.
IME, developers are not lazy but just totally unaware of issues
related to building queries by concatenating strings. Another issue is
that use parameters SQL Server will be able to make
On 1 September 2010 13:47, silky wrote:
> It's hard to blame the programmers totally for this, as it's almost
> always a business issue that has lead to the poor implementation
> (security not being a priority).
I don't know that it is fair to say it is 'almost always a business issue'.
I don't
[mailto:ozdotnet-boun...@ozdotnet.com] On
Behalf Of David Connors
Sent: Wednesday, 1 September 2010 1:47 PM
To: ozDotNet
Subject: Re: [OT] SQL injection attack vectors
On 1 September 2010 13:38, Sam Lai wrote:
Out of curiosity (it isn't Friday yet, but close enough) - does
parameterize
On 1 September 2010 13:38, Sam Lai wrote:
> Out of curiosity (it isn't Friday yet, but close enough) - does
> parameterized SQL render all SQL injection attack techniques useless?
>
Yes, with the single (AFAIK) exception of particularly special people who
take the input on the stored procedure s
On Wed, Sep 1, 2010 at 1:38 PM, Sam Lai wrote:
> Out of curiosity (it isn't Friday yet, but close enough) - does
> parameterized SQL render all SQL injection attack techniques useless?
The answer depends on how you use your data; i.e. context. Typically
the answer would be "Yes", but then someone
23 matches
Mail list logo