Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding
From: Martin Stricker <shugal () gmx de>
Date: Thu, 04 Dec 2003 02:07:19 +0000
"M. Buchzik" wrote:
Unfortunately, the most often found function in the web would look like this: if ($count) { // Insert my sql injection ... }
Never ever trust user input! Most buffer overflow issues are related to this. And while you are at it, never ever trust your own data as well - someone might have compromised your system, or you might have made a typo...
But your opinion to "avoid all scripting languages" is an interesting one ;) Isn't it just the compile _time_ the difference between "interpreted" and "compiled" programming languages?
Theoretically (Perl, Ruby and Python are trying to be as powerful and versatile as compiled languages), but many scripting languages, especially the Unix shells, are contructed rather simply, without any thoughts about secure programming.
But what I'm missing, is a code analyzer to report possible security flaws in php or perl ...
In Perl, the warn, strict and taint pragmas do help. A code analyzer would be nice anyway... Best regards, Martin Stricker -- Homepage: http://www.martin-stricker.de/ Linux Migration Project: http://www.linux-migration.org/ Red Hat Linux 9 for low memory: http://www.rule-project.org/ Registered Linux user #210635: http://counter.li.org/
Current thread:
- Re: Scripting Languages and Secure Coding M. Buchzik (Dec 03)
- Re: Scripting Languages and Secure Coding Timo Sirainen (Dec 03)
- Re: Scripting Languages and Secure Coding Martin Stricker (Dec 03)
- Re: Scripting Languages and Secure Coding + code Ghita Serban (Dec 04)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
- Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)