On Fri, 2010-06-25, Nobody wrote: > On Fri, 25 Jun 2010 12:15:08 +0000, Jorgen Grahn wrote: > >> I don't do SQL and I don't even understand the terminology properly >> ... but the discussion around it bothers me. >> >> Do those people really do this? > > Yes. And then some. > > Among web developers, the median level of programming knowledge amounts to > the first 3 chapters of "Learn PHP in 7 Days". > > It doesn't help the the guy who wrote PHP itself wasn't much better. > >> - accept untrusted user data >> - try to sanitize the data (escaping certain characters etc) >> - turn this data into executable code (SQL) >> - executing it >> >> Like the example in the article >> >> SELECT * FROM hotels WHERE city = '<untrusted>'; > > Yep. Search the BugTraq archives for "SQL injection". And most of those > are for widely-deployed middleware; the zillions of bespoke site-specific > scripts are likely to be worse. > > Also: http://xkcd.com/327/
Priceless! As is often the case with xkcd, I learned something, too: there's a widely used web application/portal/database thingy which silently strips some characters from my input. I thought it had to do with HTML, but it's in fact exactly the sequences "'", ')', ';' and '--' from the comic, and a few more like '>' and undoubtedly some I haven't noticed yet. That is surely "input sanitization" gone horribly wrong: I enter "6--8 slices of bread", but the system stores "68 slices of bread". >> I thought it was well-known that the solution is *not* to try to >> sanitize the input > > Well known by anyone with a reasonable understanding of the principles of > programming, but somewhat less well known by the other 98% of web > developers. > >> Am I missing something? > > There's a world of difference between a skilled chef and the people > flipping burgers for a minimum wage. And between a chartered civil > engineer and the people laying the asphalt. And between what you > probably consider a programmer and the people doing most web development. I don't know them, so I wouldn't know ... What I would *expect* is that safe tools are provided for them, not just workarounds so they can keep using the unsafe tools. That's what Python did, with its multitude of alternatives to os.system and os.popen. Anyway, thanks. It's always nice to be able to map foreign terminology like "SQL injection" to something you already know. /Jorgen -- // Jorgen Grahn <grahn@ Oo o. . . \X/ snipabacken.se> O o . -- http://mail.python.org/mailman/listinfo/python-list
