Re: CROSS SITE-SCRIPTING Protection with PHP

[Valdis.Kletnieks () vt edu]

On Mon, 14 Oct 2002 20:27:49 +0200, "Sverre H. Huseby" said:
> [Valdis Kletnieks]
>
> |   Note that this is particularly tricky if (for instance) you're
> |   writing in Perl, which doesn't have an inherent maximum length,
> |   but you're eventually passing it to an Oracle database that has
> |   '37' as the length..
>
> Why is it tricky?  If you're somehow able to force the input through
> substr($input, 0, 37), you have restricted it's length.

Right. The tricky part is getting the '37' into the substr() call.  And in
the example I gave, your Perl-based CGI *isnt* the cause of the limit, it's
a table-size issue possibly on another machine entirely.  Or maybe the
problem isn't THAT Oracle table, as it's limit is actually 90, but based on
some OTHER parameter, there will be an extract done later that will be fed
to some back-end batch process that has a limit of 37.

So the tricky part is having the back-end process tell the Oracle table that
it's limit is 37, so the Oracle database can tell the Perl CGI "size limit
of A is 90, unless the value of B is "3" in which case the limit is 37" so
it can feed that info to your hypothetical API.

(Wanna guess how many times I've seen the left side of 2-up mailing labels
bleed over to the right-hand set of labels because of this sort of thing? ;)

-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: