Comments on: Clean your HTML inputs or the dog-eaters will get to you http://gojko.net/2008/06/23/clean-your-html-inputs-or-the-dog-eaters-will-get-to-you/ Building software that matters Fri, 18 May 2012 13:40:15 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Mark http://gojko.net/2008/06/23/clean-your-html-inputs-or-the-dog-eaters-will-get-to-you/comment-page-1/#comment-28985 Mark Wed, 25 Jun 2008 19:56:21 +0000 http://gojko.net/?p=142#comment-28985 ...oops, meant to say FP precision LOSS, and date/time formatting issues (like between databases vs C locales vs system settings, etc) …oops, meant to say FP precision LOSS, and date/time formatting issues (like between databases vs C locales vs system settings, etc)

]]> By: Mark http://gojko.net/2008/06/23/clean-your-html-inputs-or-the-dog-eaters-will-get-to-you/comment-page-1/#comment-28984 Mark Wed, 25 Jun 2008 19:54:55 +0000 http://gojko.net/?p=142#comment-28984 The *REAL* problem is that you should never let users augment your source code. Sounds pretty basic, but of course people slip up all the time. In the case of SQL-insertion attacks, santizing the data is one approach - but it's tedious and error prone, and often leaks back to the user ("sorry Mr O'Darn, but quotes are not allowed!"). A far better approach is to use parameter markers in the SQL ("update table set name = ? where key = ?") and then the entire issue goes away. As does floating-point precision. And date/time formatting. And performance goes up! (except possibly in Java, but that says more about Java than about SQL). Problem is, there's really no way to do this 'right' with HTML! For this reason, I think HTML is fundamentally flawed - there's no systemic way to do it right which would solve it once and for all; the best you can do is keep patching system after system for exploit after exploit ad infinitum. The *REAL* problem is that you should never let users augment your source code. Sounds pretty basic, but of course people slip up all the time.

In the case of SQL-insertion attacks, santizing the data is one approach – but it’s tedious and error prone, and often leaks back to the user (“sorry Mr O’Darn, but quotes are not allowed!”). A far better approach is to use parameter markers in the SQL (“update table set name = ? where key = ?”) and then the entire issue goes away. As does floating-point precision. And date/time formatting. And performance goes up! (except possibly in Java, but that says more about Java than about SQL).

Problem is, there’s really no way to do this ‘right’ with HTML! For this reason, I think HTML is fundamentally flawed – there’s no systemic way to do it right which would solve it once and for all; the best you can do is keep patching system after system for exploit after exploit ad infinitum.

]]> By: Ben http://gojko.net/2008/06/23/clean-your-html-inputs-or-the-dog-eaters-will-get-to-you/comment-page-1/#comment-28905 Ben Tue, 24 Jun 2008 09:05:28 +0000 http://gojko.net/?p=142#comment-28905 Blimey, there's an eye-opener. I always sanitise input that actually does anything, but I'm not sure if I have been careful enough sanitising input that could be abused in the same way as you described. Thanks Blimey, there’s an eye-opener.

I always sanitise input that actually does anything, but I’m not sure if I have been careful enough sanitising input that could be abused in the same way as you described.

Thanks

]]>