Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scripting Languages and Secure Coding

From: Martin Stricker <shugal () gmx de>
Date: Thu, 04 Dec 2003 02:07:19 +0000
"M. Buchzik" wrote:


Unfortunately, the most often found function in the web would look
like this:
if ($count) {
  // Insert my sql injection ...
}


Never ever trust user input! Most buffer overflow issues are related to
this. And while you are at it, never ever trust your own data as well -
someone might have compromised your system, or you might have made a
typo...


But your opinion to "avoid all scripting languages" is an
interesting one ;)
Isn't it just the compile _time_ the difference between "interpreted"
and "compiled" programming languages?


Theoretically (Perl, Ruby and Python are trying to be as powerful and
versatile as compiled languages), but many scripting languages,
especially the Unix shells, are contructed rather simply, without any
thoughts about secure programming.


But what I'm missing, is a code analyzer to report possible security
flaws in php or perl ...


In Perl, the warn, strict and taint pragmas do help. A code analyzer
would be nice anyway...

Best regards,
Martin Stricker
-- 
Homepage: http://www.martin-stricker.de/
Linux Migration Project: http://www.linux-migration.org/
Red Hat Linux 9 for low memory: http://www.rule-project.org/
Registered Linux user #210635: http://counter.li.org/
Previous By Date Next
Previous By Thread Next

Current thread: