Why Is Escaping Data Considered So Magical?
Owen Jacobson
angrybaldguy at gmail.com
Fri Jun 25 22:56:02 EDT 2010
On 2010-06-25 20:49:09 -0400, Lawrence D'Oliveiro said:
> In message <slrni297ec.1m5.grahn+nntp at frailea.sa.invalid>, Jorgen Grahn
> wrote:
>
>> I thought it was well-known that the solution is *not* to try to
>> sanitize the input -- it's to switch to an interface which doesn't
>> involve generating an intermediate executable. In the Python example,
>> that would be something like os.popen2(['zcat', '-f', '--', untrusted]).
>
> That’s what I mean. Why do people consider input sanitization so hard?
It's not hard. It's just begging for a visit from the fuckup fairy.
-o
More information about the Python-list
mailing list