Re: if statement with or comparison (newbie)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Robert Cummings wrote:

On Sat, 2006-09-09 at 11:30 -0400, Mark Charette wrote:

Stut wrote:

Mark Charette wrote:
However, looking at it from a 'knowing early the data is tainted' perspective, not from a 'validating and cleaning perspective', if you have coded that (for instance) a variable is set via COOKIE, then only looking for that variable set via COOKIE will eliminate its being tainted by being set via GET or REQUEST. It doesn't eliminate any need for validation or cleaning, but reduces (naive) attempts to set via incorrect means. That is not possible via REQUEST. Personally, I like to toss out possibilities of bad data via simple means as early in the chain as possible.
If I understood that right it's a shocking naive statement for any developer to make. While I agree with what you're saying, you're implying a bad attitude to handling data from untrusted sources.
I am being neither shocking or naive. Why is early discarding of data because it comes in the wrong area shocking? 

That's your last line, I think he's commenting on the rest of your
comment. Questionable data is questionable data, it doesn't matter from
whence you clean it. If you haven't cleaned it your still going to get
screwed no matter how much you rely on it being difficult to manipulate
by a site visitor.
Where am I being unclear, then? "reduces (naive) attempts to set via incorrect means." doesn't say 'eliminate serious attempts'. I would think my statement "It doesn't eliminate any need for validation or cleaning, " covers the remaining scenarios. Indeed, determining the source of data is one of the essential steps in validation. The one of the rules is 'discard even valid data if it comes from an untrusted source" - and data coming from an _incorrect_ source is, by definition, untrusted even if if you wish to expend the effort to prove it valid.
And I'll wager a brew no one here has ever done a formal, mathematically rigorous proof of a validation routine except as a class project. As a senior member of the software QC department in a major industrial company, I generally find more errors and omissions in validation routines during code reviews and ethical hacks than anywhere else. 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux