|
| Authored by: Anonymous on Wednesday, August 22 2012 @ 04:28 AM EDT |
> Any programmer who fails to escape user input by these means
> should be [eliminated]
I fear we might fairly quickly run out of DBAs if current
news stories are to be believed...
[ Reply to This | Parent | # ]
|
|
|
| Authored by: jesse on Wednesday, August 22 2012 @ 07:35 AM EDT |
I put it down to laziness by the DB vendor.
All such could be cured by simply separating the user input from the query.
And this has been known for ages. It can get complicated to implement, sure -
but composing a query using symbolic names for values (even as simple as $p1
$p2...) and providing the list of user data entries separately would handle
that. The dynamic formatting string + parameter list show how that works.
Unfortunately, SQL itself isn't too amenable to that. The tricky part is
allowing user specified patterns.
Entirely possible to do.[ Reply to This | Parent | # ]
|
|
|
| Authored by: stegu on Wednesday, August 22 2012 @ 08:12 AM EDT |
Let's not twist words into meaning things they
don't, OK? A "hacker" is a quite common term
for someone who enjoys programming in nonobvious
ways, inventing new uses for existing methods
and coming up with new stuff. I would consider
myself a hacker by those standards, and so
would a lot of people I know who are not the
least bit interested in committing a crime of
any sort.
The rough distinction between "hacker" and
"cracker" is criminal intent. The mere activity
of using programming as a tool for purposes that
nobody thought of before should not be criminalized.
Then we might just as well pack up and abandon
all hope of ever making any progress beyond the
current state of the art in computer science.
You wouldn't dream of calling every owner of a
baseball bat a criminal just because the bat could
be used to hit someone over the head, would you?
Or take suspicion to a person jogging to get in
shape, because clearly an ability to run without
getting tired too easily could be used to outrun
the police in a street chase.
Further eroding your bad definition, there are
"white hat" crackers who are definitely not
criminals, but try to use the hacking tools to
stay a step ahead of the criminal minds who use
the same tools in malice.
[ Reply to This | Parent | # ]
|
|
|
| Authored by: scav on Wednesday, August 22 2012 @ 08:57 AM EDT |
It should NEVER be possible to recover the passwords even
with full access to the database.
Anyone who is storing passwords is Doing It All Wrong.
---
The emperor, undaunted by overwhelming evidence that he had no clothes,
redoubled his siege of Antarctica to extort tribute from the penguins.[ Reply to This | Parent | # ]
|
- NO - Authored by: cjk fossman on Wednesday, August 22 2012 @ 10:55 AM EDT
- NO - Authored by: Anonymous on Wednesday, August 22 2012 @ 11:02 AM EDT
- NO - Authored by: cjk fossman on Wednesday, August 22 2012 @ 12:49 PM EDT
- Bit of a Worry Then? - Authored by: Anonymous on Wednesday, August 22 2012 @ 04:39 PM EDT
- NO - Authored by: Anonymous on Thursday, August 23 2012 @ 11:29 AM EDT
|
