[WEB SECURITY] Re: recognising metacharacters as code ( Is ^ a dangerous metachar?)
Brian Eaton
eaton.lists at gmail.com
Tue Jan 9 09:44:51 EST 2007
On 1/9/07, Albert <caruabertu at gmail.com> wrote:
> CODE vs data - artifical intelligence approach? rule based? - there are
> newer methods - see USA naval laboratory for applied computer science -
> artificial intelligence research etc...
It shouldn't be that complicated. Code is what I write. Data is what
comes from the user. If at any point it is not completely and totally
obvious which is which, then that is a problem and must be fixed.
Some APIs encourage confusion between code and data. For example,
some tutorials encourage people to build up SQL queries by gluing
strings together. That is evil, because data from the user becomes
code in the query. Parameterized SQL queries (aka prepared
statements) are good, because they keep a clear distinction between
code and data.
Regards,
Brian
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list