develooper Front page | perl.beginners | Postings from March 2002

re: unallowed chars

Thread Previous | Thread Next
From:
Jenda Krynicky
Date:
March 29, 2002 06:16
Subject:
re: unallowed chars
Message ID:
3CA48545.23468.2DE96C@localhost
From: Teresa Raymond <traymond@mariposanet.com>

> Ok, and where are the recommended characters to disallow?  I have
> tested and I know which characters are going through but I would like
> to make sure I've included most of the recommended list.

Oh my God. Did you read what I wrote or just scaned over quickly 
for something that would look like a list of "dangerous" characters?

Once again, now in short sentences.

1) There is NO single list of dangerous characters. What 
characters are dangerous depends on the action you do with the 
data.

2) If you or someone else creates a list of suspicious characters 
and test whether the data contain any of them, you are NOT safe. 
It's for sure you'll forget some character, it's for sure there is 
something you've never heard of that can go wrong.

3) Always test whether the data DO CONTAIN ONLY ALLOWED 
characters. And allow only the characters you must.

Jenda

> >From: Teresa Raymond <traymond@mariposanet.com>
> >
> >>  Where in the Camel or other resource is the list of characters
> >>  that we don't want people to type in.  I'm still collecting all
> >>  the resources I lost from my logic board dying.  Thanks in
> >>  advance.
> >
> >When testing data you should ALWAYS test whether the string
> >contains only the allowed characters or is in the allowed format,
> >never whether it contains some forbidden characters or contains
> >something that you do not like.
> >
> >You may forget something that happens to be special in your case and
> >you would open a security hole while thinking you are safe.
> >
> >While in the life I prefer "what is not forbidden, is allowed"
> >in programming it should be the oposite.
> >
> >Jenda
> >
> >=========== Jenda@Krynicky.cz == http://Jenda.Krynicky.cz ==========
> >There is a reason for living. There must be. I've seen it somewhere.
> >It's just that in the mess on my table ... and in my brain I can't
> >find it. 					--- me
> >
> >--
> >To unsubscribe, e-mail: beginners-unsubscribe@perl.org
> >For additional commands, e-mail: beginners-help@perl.org
> 
> 
> --
> -------------------------------
> -  Teresa Raymond             -
> -  Mariposa Net               -
> -  http://www.mariposanet.com -
> -------------------------------
> -- 
> 
> -- 
> To unsubscribe, e-mail: beginners-unsubscribe@perl.org
> For additional commands, e-mail: beginners-help@perl.org



== Jenda@Krynicky.cz == http://Jenda.Krynicky.cz ==
: What do people think?
What, do people think?  :-)
             -- Larry Wall in <199808071736.KAA12738@wall.org>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About