Hiya Randy, On Tue, Oct 04, 2005 at 03:30:23 -0400, Randy W. Sims wrote: > I know perl. I know some basics of web/CGI programming, but haven't > done anything where security really matters. Could anyone recommend > books or references that discuss real-world web programming, that > show the right way to create secure sites? Topics like creating > logins, varying levels of access rights (some can edit, some can > view, some have limited views), different methods of storing > information & storing user data (plain file, DBM, DBMS; > strengths/weaknesses), what issues arise in using web hosting vs > having your own server.
I used to have a link to a very good (online version) of a web-based
security book around, but can no longer find it, so I'll share some
pe[a]rls ;) I use when working on perl/CGI web-apps:
* If at all possible, use perl's built-in taint-mode - see the
man-page for `perlsec' for more info on this. With taint-mode
enabled, all input is tainted by default until verified to be
`correct'.
* Escape [shell] `meta'-characters - `"', `;', '|', etc. - in all user
input. This is especially important if you hand-off user-supplied
input to an external program (for example, `sendmail');
* Finally, don't black-list, white-list. In other words, don't check
for badly-formed, or `illegal' data, check for valid and correct
data. There is just a never ending list of things that'll need
black-listing (what with new types of exploits coming out daily (in
certain areas)), and you'll always be playing catch-up if you go the
reverse route.
> Also, are there any particularly good general web development books
> you highly recommend?
If I find that link (or remember the name of the book), I'll reply with
it. :)
Best,
Elfyn
--
Elfyn McBratney
Gentoo Developer/Perl Team Lead
beu/irc.freenode.net http://dev.gentoo.org/~beu/
+------------O.o--------------------- http://dev.gentoo.org/~beu/pubkey.asc
PGP Key ID: 0x69DF17AD
PGP Key Fingerprint:
DBD3 B756 ED58 B1B4 47B9 B3BD 8D41 E597 69DF 17AD
pgpQ8lG1sBWL1.pgp
Description: PGP signature
