Re: How Secure is this?
Posted: Wed Feb 15, 2006 1:56 pm
Fair question, so I'll answer.blacksnday wrote:Considering I let it known right away that Form Input should be protected
I have no clue why that would cause an exclusion to a proper answer
about the other aspects of coding.
Lets say you filter input *so* good, its only an integer.
If so, we don't need to worry about sql injection, quoting, db storage type, host OS, anything really.
Saying "I've covered input filtering" doesn't answer the question sufficiently, and entirely influences the rest of the questions. If you've filtered it down to just an int, there is extremely little that needs to be done beyond that.
But lets get realistic and say that the input filtering allows a-z, dashes, spaces, and underscores. Now we need to worry about which db engine - mssql considers a doubledash as a comment. Now we need to worry about sql escaping. Now we need to worry about db storage type - is the input potentially longer than the field? If its a char (5), and the username is longer....
See all the things that are affected? We aren't being nitpicky or anal. We are being thorough, to give you a fair and considered answer to the question of is this secure. Is this nice, well-designed, cute, web-2.0'ish, etc are all very subjective questions that don't require substantial detail. Whether something is secure requires tremendous attention to detail.
Remember, to be secure, you have to be correct, safe, and well-designed at every point, every day. To be insecure, you only have to make one mistake, ever.
Do you really think its reasonable to ask for that level of certainty while leaving out half of the equation?