WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anyone have some basic security tips for PHP-programmers?

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 25 Nov 2003 22:18:03 +0100
[Ulf Härnhammar]

|   Moral of the story: always check lengths as well, [...]

[Andreas]

|   Those are all bugs in the program being called. I see your point,
|   but the solution in this case is to patch the flawed program.

I think you should nevertheless check the length.  When validating
input, you check that the input match the rules of your application.
If input will end up in a database field of type VARCHAR(64), then
your application sort of expects the length to be no longer than 64,
and should check that it in fact is below this limit.  Not just to
prevent buffer overflows down below, but to make sure there are no
unforeseen side effects (neither for the application nor for the poor
user).

Just my two kroner (NOK/DKK) / kronor (SEK).  (to keep it Scandinavian)


Sverre.

-- 
shh () thathost com
http://shh.thathost.com/
Previous By Date Next
Previous By Thread Next

Current thread: