Why Is Escaping Data Considered So Magical?
Jorgen Grahn
grahn+nntp at snipabacken.se
Sun Jun 27 16:15:11 EDT 2010
On Fri, 2010-06-25, Nobody wrote:
> On Fri, 25 Jun 2010 12:15:08 +0000, Jorgen Grahn wrote:
>
>> I don't do SQL and I don't even understand the terminology properly
>> ... but the discussion around it bothers me.
>>
>> Do those people really do this?
>
> Yes. And then some.
>
> Among web developers, the median level of programming knowledge amounts to
> the first 3 chapters of "Learn PHP in 7 Days".
>
> It doesn't help the the guy who wrote PHP itself wasn't much better.
>
>> - accept untrusted user data
>> - try to sanitize the data (escaping certain characters etc)
>> - turn this data into executable code (SQL)
>> - executing it
>>
>> Like the example in the article
>>
>> SELECT * FROM hotels WHERE city = '<untrusted>';
>
> Yep. Search the BugTraq archives for "SQL injection". And most of those
> are for widely-deployed middleware; the zillions of bespoke site-specific
> scripts are likely to be worse.
>
> Also: http://xkcd.com/327/
Priceless!
As is often the case with xkcd, I learned something, too: there's a
widely used web application/portal/database thingy which silently
strips some characters from my input. I thought it had to do with
HTML, but it's in fact exactly the sequences "'", ')', ';' and '--'
from the comic, and a few more like '>' and undoubtedly some I haven't
noticed yet.
That is surely "input sanitization" gone horribly wrong: I enter "6--8
slices of bread", but the system stores "68 slices of bread".
>> I thought it was well-known that the solution is *not* to try to
>> sanitize the input
>
> Well known by anyone with a reasonable understanding of the principles of
> programming, but somewhat less well known by the other 98% of web
> developers.
>
>> Am I missing something?
>
> There's a world of difference between a skilled chef and the people
> flipping burgers for a minimum wage. And between a chartered civil
> engineer and the people laying the asphalt. And between what you
> probably consider a programmer and the people doing most web development.
I don't know them, so I wouldn't know ... What I would *expect* is
that safe tools are provided for them, not just workarounds so they
can keep using the unsafe tools. That's what Python did, with its
multitude of alternatives to os.system and os.popen.
Anyway, thanks. It's always nice to be able to map foreign terminology
like "SQL injection" to something you already know.
/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
More information about the Python-list
mailing list