FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Lilupophilupop
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Lilupophilupop [message #176440] Sat, 07 January 2012 12:15 Go to next message
M. Strobel is currently offline  M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
Senior Member
Hi,

there is currently a strong SQL injection attack going on, I find
https://isc.sans.edu/diary.html?storyid=12127 very instructive.

A page down it says "In this instance the PAGEID=189 parameter on
page xxxxxxxx.asp is vulnerable".

Now this should not happen. If you expect an integer, use your
integer-read function!

But it happens all the time. If you use tools/4GLs/CMSses you
have to trust them, of course.

/Str
Re: Lilupophilupop [message #176441 is a reply to message #176440] Sat, 07 January 2012 13:15 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 1/7/2012 7:15 AM, M. Strobel wrote:
> Hi,
>
> there is currently a strong SQL injection attack going on, I find
> https://isc.sans.edu/diary.html?storyid=12127 very instructive.
>
> A page down it says "In this instance the PAGEID=189 parameter on
> page xxxxxxxx.asp is vulnerable".
>
> Now this should not happen. If you expect an integer, use your
> integer-read function!
>
> But it happens all the time. If you use tools/4GLs/CMSses you
> have to trust them, of course.
>
> /Str

Validating all input from the user is just good programming practice.
Nothing new here - it just shows there are a lot of programmers out
there unconcerned with security.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Lilupophilupop [message #176442 is a reply to message #176440] Sat, 07 January 2012 13:28 Go to previous messageGo to next message
Gregor Kofler is currently offline  Gregor Kofler
Messages: 69
Registered: September 2010
Karma: 0
Member
Am 2012-01-07 13:15, M. Strobel meinte:
> Hi,
>
> there is currently a strong SQL injection attack going on, I find
> https://isc.sans.edu/diary.html?storyid=12127 very instructive.
>
> A page down it says "In this instance the PAGEID=189 parameter on
> page xxxxxxxx.asp is vulnerable".
>
> Now this should not happen. If you expect an integer, use your
> integer-read function!

And? This should be common practice for any web application developer.
Nothing new here.

> But it happens all the time. If you use tools/4GLs/CMSses you
> have to trust them, of course.

How can I "trust" (or "mistrust") 4GLs? And no - I don't have to and
don't trust stock CMS' when it comes to security issues. Particularly
with their plethora of plugins.

Gregor


--
http://vxweb.net
Re: Lilupophilupop [message #176450 is a reply to message #176442] Sat, 07 January 2012 15:13 Go to previous messageGo to next message
M. Strobel is currently offline  M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
Senior Member
Am 07.01.2012 14:28, schrieb Gregor Kofler:
> Am 2012-01-07 13:15, M. Strobel meinte:

>> But it happens all the time. If you use tools/4GLs/CMSses you
>> have to trust them, of course.
>
> How can I "trust" (or "mistrust") 4GLs? And no - I don't have to and
> don't trust stock CMS' when it comes to security issues. Particularly
> with their plethora of plugins.
>
> Gregor
>
>
You saw the _if_ in front of _you use_, did you?

/Str
Re: Lilupophilupop [message #176454 is a reply to message #176450] Sat, 07 January 2012 17:03 Go to previous messageGo to next message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
Senior Member
M. Strobel wrote:

> Am 07.01.2012 14:28, schrieb Gregor Kofler:
>> Am 2012-01-07 13:15, M. Strobel meinte:
>>> But it happens all the time. If you use tools/4GLs/CMSses you
>>> have to trust them, of course.
>>
>> How can I "trust" (or "mistrust") 4GLs? And no - I don't have to and
>> don't trust stock CMS' when it comes to security issues. Particularly
>> with their plethora of plugins.
>
> You saw the _if_ in front of _you use_, did you?

Probably yes. But that does not make your statement a sound argument. Even
if you use software, you do _not_ *have* to trust it. In fact, healthy
scepticism towards software is always indicated, because software is written
by humans, and humans do make mistakes.


PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)
Re: Lilupophilupop [message #176456 is a reply to message #176441] Sat, 07 January 2012 17:27 Go to previous messageGo to next message
Thomas Mlynarczyk is currently offline  Thomas Mlynarczyk
Messages: 131
Registered: September 2010
Karma: 0
Senior Member
Jerry Stuckle schrieb:

> Validating all input from the user is just good programming practice.

And properly (!) escaping output (this includes stuff that goes into SQL
queries). As I see it, these two simple measures should prevent 99% of
all security vulnerabilities. I'd be interested in learning about the
remaining 1% though.

> Nothing new here - it just shows there are a lot of programmers out
> there unconcerned with security.

Indeed. But I don't understand why this is so. After all, we're not
talking about the personal homepage of some newbie showing pictures of
his dog and favourite cookie recipes. The problem exists also (if not
especially) with real big professional sites, even sites where security
is paramount (online banking), run by people who should have more than
enough money to pay competent, security-aware programmers to do the job
properly. I just don't get it.

Of course, the worst about this new SQL injection attack is certainly
that ridiculous name "Lilupophilupop".

Greetings,
Thomas

--
Ce n'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!
(Coluche)
Re: Lilupophilupop [message #176457 is a reply to message #176456] Sat, 07 January 2012 17:52 Go to previous messageGo to next message
J.O. Aho is currently offline  J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
Senior Member
Thomas Mlynarczyk wrote:
> Jerry Stuckle schrieb:

>> Nothing new here - it just shows there are a lot of programmers out there
>> unconcerned with security.
>
> Indeed. But I don't understand why this is so. After all, we're not talking
> about the personal homepage of some newbie showing pictures of his dog and
> favourite cookie recipes. The problem exists also (if not especially) with
> real big professional sites, even sites where security is paramount (online
> banking), run by people who should have more than enough money to pay
> competent, security-aware programmers to do the job properly. I just don't get
> it.

The big issue is "maximize profit" and "finish on half the required time",
when you have those two things as the main mantras, then everything will be
crap, not just web sites and their security, but things like cell phones which
won't hold more than max 3 years, crappy health care and insurances which
don't cover anything at all.


--

//Aho
Re: Lilupophilupop [message #176459 is a reply to message #176450] Sat, 07 January 2012 19:34 Go to previous messageGo to next message
Gregor Kofler is currently offline  Gregor Kofler
Messages: 69
Registered: September 2010
Karma: 0
Member
Am 2012-01-07 16:13, M. Strobel meinte:
> Am 07.01.2012 14:28, schrieb Gregor Kofler:
>> Am 2012-01-07 13:15, M. Strobel meinte:
>
>>> But it happens all the time. If you use tools/4GLs/CMSses you
>>> have to trust them, of course.
>>
>> How can I "trust" (or "mistrust") 4GLs? And no - I don't have to and
>> don't trust stock CMS' when it comes to security issues. Particularly
>> with their plethora of plugins.
>>
>> Gregor
>>
>>
> You saw the _if_ in front of _you use_, did you?

Yes. As Thomas said - you don't *have* *to* trust it (though it's handy
to have someone else to blame, when problems arise).

Gregor
Re: Lilupophilupop [message #176465 is a reply to message #176457] Sat, 07 January 2012 21:02 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 1/7/2012 12:52 PM, J.O. Aho wrote:
> Thomas Mlynarczyk wrote:
>> Jerry Stuckle schrieb:
>
>>> Nothing new here - it just shows there are a lot of programmers out
>>> there
>>> unconcerned with security.
>>
>> Indeed. But I don't understand why this is so. After all, we're not
>> talking
>> about the personal homepage of some newbie showing pictures of his dog
>> and
>> favourite cookie recipes. The problem exists also (if not especially)
>> with
>> real big professional sites, even sites where security is paramount
>> (online
>> banking), run by people who should have more than enough money to pay
>> competent, security-aware programmers to do the job properly. I just
>> don't get
>> it.
>
> The big issue is "maximize profit" and "finish on half the required
> time", when you have those two things as the main mantras, then
> everything will be crap, not just web sites and their security, but
> things like cell phones which won't hold more than max 3 years, crappy
> health care and insurances which don't cover anything at all.
>
>

True to a big extent, J.O. But proper security practices are cheaper up
front than trying to go back and fix the problem later.

I think a much bigger problem here is there are a huge number of
programmers who don't understand proper security practices. For
instance, they think the only way someone can POST data to their site is
from another page on their site, and validating data with javascript
before it is sent is sufficient security.

Nothing could be more wrong.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Lilupophilupop [message #176477 is a reply to message #176459] Sun, 08 January 2012 13:53 Go to previous messageGo to next message
M. Strobel is currently offline  M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
Senior Member
Am 07.01.2012 20:34, schrieb Gregor Kofler:
> Am 2012-01-07 16:13, M. Strobel meinte:
>> Am 07.01.2012 14:28, schrieb Gregor Kofler:
>>> Am 2012-01-07 13:15, M. Strobel meinte:
>>
>>>> But it happens all the time. If you use tools/4GLs/CMSses you
>>>> have to trust them, of course.
>>>
>>> How can I "trust" (or "mistrust") 4GLs?

Believe that the software does what it is meant to.
Are you going to ask what I think it is meant to, or what I thing
you think it is meant to?

>>> And no - I don't have to and
>>> don't trust stock CMS' when it comes to security issues. Particularly
>>> with their plethora of plugins.
>>>
>>> Gregor
>>>
>>>
>> You saw the _if_ in front of _you use_, did you?
>
> Yes. As Thomas said - you don't *have* *to* trust it (though it's handy
> to have someone else to blame, when problems arise).
>
> Gregor
>
and to Thomas PE

I think using a software like Coldfusion shows that you trust it
- at least so far as to say it is usable.

Sure there is room to debate "trust".

/Str.
Re: Lilupophilupop [message #176484 is a reply to message #176477] Sun, 08 January 2012 14:27 Go to previous messageGo to next message
Gregor Kofler is currently offline  Gregor Kofler
Messages: 69
Registered: September 2010
Karma: 0
Member
Am 2012-01-08 14:53, M. Strobel meinte:
> Am 07.01.2012 20:34, schrieb Gregor Kofler:
>> Am 2012-01-07 16:13, M. Strobel meinte:
>>> Am 07.01.2012 14:28, schrieb Gregor Kofler:
>>>> Am 2012-01-07 13:15, M. Strobel meinte:
>>>
>>>> > But it happens all the time. If you use tools/4GLs/CMSses you
>>>> > have to trust them, of course.
>>>>
>>>> How can I "trust" (or "mistrust") 4GLs?
>
> Believe that the software does what it is meant to.
> Are you going to ask what I think it is meant to, or what I thing
> you think it is meant to?

A 4th generation language can have bugs and allow exploits, just like
3rd generation languages. Despite the version upgrade, you still have to
write scripts or programs (and care about security issues, which arise
in the scope of your script). A CMS is a ready-to-use product, that
*should* take care of such issues and rule out any security issues in
the scope of the scripts of the application.

>> Gregor
>>
> and to Thomas PE
>
> I think using a software like Coldfusion shows that you trust it
> - at least so far as to say it is usable.

CF is a PITA, but, yes, it's "usable" (some - or rather few - people
even *like* CF). I've never used the term "trust" with a language - they
are "flexible", "concise", "comfortable", etc. I don't know what a
"trustworthy" language is.
Besides, I don't know why CF is considered a 4GL (according to
WikiPedia) and PHP is not.

> Sure there is room to debate "trust".

Sounds like a discussion for discussions sake.

Gregor
Re: Lilupophilupop [message #176486 is a reply to message #176484] Sun, 08 January 2012 15:00 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 1/8/2012 9:27 AM, Gregor Kofler wrote:
> Am 2012-01-08 14:53, M. Strobel meinte:
>> Am 07.01.2012 20:34, schrieb Gregor Kofler:
>>> Am 2012-01-07 16:13, M. Strobel meinte:
>>>> Am 07.01.2012 14:28, schrieb Gregor Kofler:
>>>> > Am 2012-01-07 13:15, M. Strobel meinte:
>>>>
>>>> >> But it happens all the time. If you use tools/4GLs/CMSses you
>>>> >> have to trust them, of course.
>>>> >
>>>> > How can I "trust" (or "mistrust") 4GLs?
>>
>> Believe that the software does what it is meant to.
>> Are you going to ask what I think it is meant to, or what I thing
>> you think it is meant to?
>
> A 4th generation language can have bugs and allow exploits, just like
> 3rd generation languages. Despite the version upgrade, you still have to
> write scripts or programs (and care about security issues, which arise
> in the scope of your script). A CMS is a ready-to-use product, that
> *should* take care of such issues and rule out any security issues in
> the scope of the scripts of the application.
>

Your reasoning is faulty. A 4GL should rule out security issues in the
scope of the language. A CMS can also have bugs and allow exploits.

And even with a CMS you have to write your own scripts.

Also, CMS's have had any number of security problems over the years,
even within their own scope.


>>> Gregor
>>>
>> and to Thomas PE
>>
>> I think using a software like Coldfusion shows that you trust it
>> - at least so far as to say it is usable.
>
> CF is a PITA, but, yes, it's "usable" (some - or rather few - people
> even *like* CF). I've never used the term "trust" with a language - they
> are "flexible", "concise", "comfortable", etc. I don't know what a
> "trustworthy" language is.
> Besides, I don't know why CF is considered a 4GL (according to
> WikiPedia) and PHP is not.
>
>> Sure there is room to debate "trust".
>
> Sounds like a discussion for discussions sake.
>
> Gregor

I trust languages (even 4GL) much more than I do CMS's.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Lilupophilupop [message #176494 is a reply to message #176486] Sun, 08 January 2012 17:29 Go to previous messageGo to next message
Gregor Kofler is currently offline  Gregor Kofler
Messages: 69
Registered: September 2010
Karma: 0
Member
Am 2012-01-08 16:00, Jerry Stuckle meinte:
> On 1/8/2012 9:27 AM, Gregor Kofler wrote:
>> Am 2012-01-08 14:53, M. Strobel meinte:
>>> Am 07.01.2012 20:34, schrieb Gregor Kofler:
>>>> Am 2012-01-07 16:13, M. Strobel meinte:
>>>> > Am 07.01.2012 14:28, schrieb Gregor Kofler:
>>>> >> Am 2012-01-07 13:15, M. Strobel meinte:
>>>> >
>>>> >>> But it happens all the time. If you use tools/4GLs/CMSses you
>>>> >>> have to trust them, of course.
>>>> >>
>>>> >> How can I "trust" (or "mistrust") 4GLs?
>>>
>>> Believe that the software does what it is meant to.
>>> Are you going to ask what I think it is meant to, or what I thing
>>> you think it is meant to?
>>
>> A 4th generation language can have bugs and allow exploits, just like
>> 3rd generation languages. Despite the version upgrade, you still have to
>> write scripts or programs (and care about security issues, which arise
>> in the scope of your script). A CMS is a ready-to-use product, that
>> *should* take care of such issues and rule out any security issues in
>> the scope of the scripts of the application.
>>
>
> Your reasoning is faulty. A 4GL should rule out security issues in the
> scope of the language. A CMS can also have bugs and allow exploits.

I can't see any difference to 3GLs. Take the mentioned CF. It allows to
define the data type of supplied arguments for function calls. It allows
intrinsic escaping of query strings. Both features *can* (and should) be
used, but it's not obligatory (and they are not "enabled" by some
default setting). Not doing can and will lead to injections. It's more
or less the same thing as with PHP.

> And even with a CMS you have to write your own scripts.

Pardon? You can, but you don't have to. No need to write scripts with
WordPress, Joomla!, Typo3, ...

> Also, CMS's have had any number of security problems over the years,
> even within their own scope.

Agreed. PHP-Nuke comes to my mind...

> I trust languages (even 4GL) much more than I do CMS's.

So do I.

Gregor
Re: Lilupophilupop [message #176511 is a reply to message #176494] Sun, 08 January 2012 20:49 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 1/8/2012 12:29 PM, Gregor Kofler wrote:
> Am 2012-01-08 16:00, Jerry Stuckle meinte:
>> On 1/8/2012 9:27 AM, Gregor Kofler wrote:
>>> Am 2012-01-08 14:53, M. Strobel meinte:
>>>> Am 07.01.2012 20:34, schrieb Gregor Kofler:
>>>> > Am 2012-01-07 16:13, M. Strobel meinte:
>>>> >> Am 07.01.2012 14:28, schrieb Gregor Kofler:
>>>> >>> Am 2012-01-07 13:15, M. Strobel meinte:
>>>> >>
>>>> >>>> But it happens all the time. If you use tools/4GLs/CMSses you
>>>> >>>> have to trust them, of course.
>>>> >>>
>>>> >>> How can I "trust" (or "mistrust") 4GLs?
>>>>
>>>> Believe that the software does what it is meant to.
>>>> Are you going to ask what I think it is meant to, or what I thing
>>>> you think it is meant to?
>>>
>>> A 4th generation language can have bugs and allow exploits, just like
>>> 3rd generation languages. Despite the version upgrade, you still have to
>>> write scripts or programs (and care about security issues, which arise
>>> in the scope of your script). A CMS is a ready-to-use product, that
>>> *should* take care of such issues and rule out any security issues in
>>> the scope of the scripts of the application.
>>>
>>
>> Your reasoning is faulty. A 4GL should rule out security issues in the
>> scope of the language. A CMS can also have bugs and allow exploits.
>
> I can't see any difference to 3GLs. Take the mentioned CF. It allows to
> define the data type of supplied arguments for function calls. It allows
> intrinsic escaping of query strings. Both features *can* (and should) be
> used, but it's not obligatory (and they are not "enabled" by some
> default setting). Not doing can and will lead to injections. It's more
> or less the same thing as with PHP.
>

First of all, please study up on what a 3GL language is and what a 4GL
language is (I won't get into it here - it's off topic in this newsgroup).

>> And even with a CMS you have to write your own scripts.
>
> Pardon? You can, but you don't have to. No need to write scripts with
> WordPress, Joomla!, Typo3, ...
>

I've used WordPress, Joomla and Drupal. In every one of them I've ended
up writing code for my client because the plugins don't do what he wants.

Of course, if you just tell the client he can only do what the addons
allow, that's one thing. I prefer to satisfy the client's needs.

>> Also, CMS's have had any number of security problems over the years,
>> even within their own scope.
>
> Agreed. PHP-Nuke comes to my mind...
>

And WordPress and Joomla and Drupal and all kinds of others.

>> I trust languages (even 4GL) much more than I do CMS's.
>
> So do I.
>
> Gregor
>
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Lilupophilupop [message #176514 is a reply to message #176511] Sun, 08 January 2012 21:59 Go to previous messageGo to next message
Gregor Kofler is currently offline  Gregor Kofler
Messages: 69
Registered: September 2010
Karma: 0
Member
Am 2012-01-08 21:49, Jerry Stuckle meinte:

>> I can't see any difference to 3GLs. Take the mentioned CF. It allows to
>> define the data type of supplied arguments for function calls. It allows
>> intrinsic escaping of query strings. Both features *can* (and should) be
>> used, but it's not obligatory (and they are not "enabled" by some
>> default setting). Not doing can and will lead to injections. It's more
>> or less the same thing as with PHP.
>>
>
> First of all, please study up on what a 3GL language is and what a 4GL
> language is (I won't get into it here - it's off topic in this newsgroup).

LOL. Yes, I can ready the Wikipedia article. From the list there, I know
and have worked with Clipper, ColdFusion and Mathematica. (And
ColdFusion in particular urges for a comparison to PHP.)

BTW: the *German* Wikipedia article states that
"The term 4GL cannot be exactly defined and is used mainly for marketing
purposes".

>>> And even with a CMS you have to write your own scripts.
>>
>> Pardon? You can, but you don't have to. No need to write scripts with
>> WordPress, Joomla!, Typo3, ...

> I've used WordPress, Joomla and Drupal. In every one of them I've ended
> up writing code for my client because the plugins don't do what he wants.

So? As I said: you can, but you don't have to. And even then, one (well,
perhaps not you) would use the CMS' own functions, classes and
framework. Besides, I'm pretty sure the *vast* majority of CMS based
websites out there don't sport any individual code snippets.

> Of course, if you just tell the client he can only do what the addons
> allow, that's one thing. I prefer to satisfy the client's needs.

You are every PHP developer's hero. I'd have never thought of that...

Gregor
Re: Lilupophilupop [message #176517 is a reply to message #176514] Sun, 08 January 2012 22:38 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 1/8/2012 4:59 PM, Gregor Kofler wrote:
> Am 2012-01-08 21:49, Jerry Stuckle meinte:
>
>>> I can't see any difference to 3GLs. Take the mentioned CF. It allows to
>>> define the data type of supplied arguments for function calls. It allows
>>> intrinsic escaping of query strings. Both features *can* (and should) be
>>> used, but it's not obligatory (and they are not "enabled" by some
>>> default setting). Not doing can and will lead to injections. It's more
>>> or less the same thing as with PHP.
>>>
>>
>> First of all, please study up on what a 3GL language is and what a 4GL
>> language is (I won't get into it here - it's off topic in this newsgroup).
>
> LOL. Yes, I can ready the Wikipedia article. From the list there, I know
> and have worked with Clipper, ColdFusion and Mathematica. (And
> ColdFusion in particular urges for a comparison to PHP.)
>
> BTW: the *German* Wikipedia article states that
> "The term 4GL cannot be exactly defined and is used mainly for marketing
> purposes".
>
>>>> And even with a CMS you have to write your own scripts.
>>>
>>> Pardon? You can, but you don't have to. No need to write scripts with
>>> WordPress, Joomla!, Typo3, ...
>
>> I've used WordPress, Joomla and Drupal. In every one of them I've ended
>> up writing code for my client because the plugins don't do what he wants.
>
> So? As I said: you can, but you don't have to. And even then, one (well,
> perhaps not you) would use the CMS' own functions, classes and
> framework. Besides, I'm pretty sure the *vast* majority of CMS based
> websites out there don't sport any individual code snippets.
>

But even if you're using the CMS's own functions, classes and frameworks
you can have security problems in your own code.

And yes, I'm sure there are sites which don't use anything else. Just
as there are sites which use no server-side programming at all.

I'd like to see where you get your statistics that the "*vast majority
of CMS based websites out there don't support any individual code snippets".

>> Of course, if you just tell the client he can only do what the addons
>> allow, that's one thing. I prefer to satisfy the client's needs.
>
> You are every PHP developer's hero. I'd have never thought of that...
>
> Gregor


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Lilupophilupop [message #176604 is a reply to message #176456] Wed, 11 January 2012 00:31 Go to previous messageGo to next message
Peter H. Coffin is currently offline  Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
Senior Member
On Sat, 07 Jan 2012 18:27:15 +0100, Thomas Mlynarczyk wrote:

> Jerry Stuckle schrieb:
>
>> Validating all input from the user is just good programming practice.
>
> And properly (!) escaping output (this includes stuff that goes into
> SQL queries). As I see it, these two simple measures should prevent
> 99% of all security vulnerabilities. I'd be interested in learning
> about the remaining 1% though.
>
>> Nothing new here - it just shows there are a lot of programmers out
>> there unconcerned with security.
>
> Indeed. But I don't understand why this is so. After all, we're not
> talking about the personal homepage of some newbie showing pictures
> of his dog and favourite cookie recipes. The problem exists also (if
> not especially) with real big professional sites, even sites where
> security is paramount (online banking), run by people who should have
> more than enough money to pay competent, security-aware programmers to
> do the job properly. I just don't get it.

Good programmers and idiots are indistinguishable to anyone that is not
a good programmer. The people making the hiring decisions are not good
programmers. Ergo, idiots and good programmers get hired in proportion
to the frequency of each in the job market, and the idiots move on to
other positions far more frequently, voluntarily or involuntarily.

Which also means that even if good programmers and idiots are in roughly
equal measure, the good programmers are not in the market for new jobs
nearly as often, make up a smaller portion of the market, and
not-programmers are unlikely to hire them by accident.

--
88. If a group of henchmen fail miserably at a task, I will not berate
them for incompetence then send the same group out to try the task
again.
--Peter Anspach's list of things to do as an Evil Overlord
Re: Lilupophilupop [message #176605 is a reply to message #176604] Wed, 11 January 2012 08:29 Go to previous messageGo to next message
M. Strobel is currently offline  M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
Senior Member
Am 11.01.2012 01:31, schrieb Peter H. Coffin:
> On Sat, 07 Jan 2012 18:27:15 +0100, Thomas Mlynarczyk wrote:
>
>> Jerry Stuckle schrieb:
>>
>>> Validating all input from the user is just good programming practice.
>>
>> And properly (!) escaping output (this includes stuff that goes into
>> SQL queries). As I see it, these two simple measures should prevent
>> 99% of all security vulnerabilities. I'd be interested in learning
>> about the remaining 1% though.
>>
>>> Nothing new here - it just shows there are a lot of programmers out
>>> there unconcerned with security.
>>
>> Indeed. But I don't understand why this is so. After all, we're not
>> talking about the personal homepage of some newbie showing pictures
>> of his dog and favourite cookie recipes. The problem exists also (if
>> not especially) with real big professional sites, even sites where
>> security is paramount (online banking), run by people who should have
>> more than enough money to pay competent, security-aware programmers to
>> do the job properly. I just don't get it.
>
> Good programmers and idiots are indistinguishable to anyone that is not
> a good programmer. The people making the hiring decisions are not good
> programmers. Ergo, idiots and good programmers get hired in proportion
> to the frequency of each in the job market, and the idiots move on to
> other positions far more frequently, voluntarily or involuntarily.
>
> Which also means that even if good programmers and idiots are in roughly
> equal measure, the good programmers are not in the market for new jobs
> nearly as often, make up a smaller portion of the market, and
> not-programmers are unlikely to hire them by accident.
>

I agree.

But beware the fallacy of the single cause. Good programmers and
idiots can change under certain conditions - learn and un-learn
good programming.

And even good programmers make compromises in their code under
the pressure of time-to-market.

/Str.
Re: Lilupophilupop [message #176609 is a reply to message #176605] Wed, 11 January 2012 13:42 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 1/11/2012 3:29 AM, M. Strobel wrote:
> Am 11.01.2012 01:31, schrieb Peter H. Coffin:
>> On Sat, 07 Jan 2012 18:27:15 +0100, Thomas Mlynarczyk wrote:
>>
>>> Jerry Stuckle schrieb:
>>>
>>>> Validating all input from the user is just good programming practice.
>>>
>>> And properly (!) escaping output (this includes stuff that goes into
>>> SQL queries). As I see it, these two simple measures should prevent
>>> 99% of all security vulnerabilities. I'd be interested in learning
>>> about the remaining 1% though.
>>>
>>>> Nothing new here - it just shows there are a lot of programmers out
>>>> there unconcerned with security.
>>>
>>> Indeed. But I don't understand why this is so. After all, we're not
>>> talking about the personal homepage of some newbie showing pictures
>>> of his dog and favourite cookie recipes. The problem exists also (if
>>> not especially) with real big professional sites, even sites where
>>> security is paramount (online banking), run by people who should have
>>> more than enough money to pay competent, security-aware programmers to
>>> do the job properly. I just don't get it.
>>
>> Good programmers and idiots are indistinguishable to anyone that is not
>> a good programmer. The people making the hiring decisions are not good
>> programmers. Ergo, idiots and good programmers get hired in proportion
>> to the frequency of each in the job market, and the idiots move on to
>> other positions far more frequently, voluntarily or involuntarily.
>>
>> Which also means that even if good programmers and idiots are in roughly
>> equal measure, the good programmers are not in the market for new jobs
>> nearly as often, make up a smaller portion of the market, and
>> not-programmers are unlikely to hire them by accident.
>>
>
> I agree.
>
> But beware the fallacy of the single cause. Good programmers and
> idiots can change under certain conditions - learn and un-learn
> good programming.
>
> And even good programmers make compromises in their code under
> the pressure of time-to-market.
>
> /Str.

Good programmers never need to make compromises which affect the quality
of the code, no matter what the pressure.

And the number of years one has been programming is not an indication of
the quality of the programmer.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Lilupophilupop [message #176612 is a reply to message #176605] Wed, 11 January 2012 14:23 Go to previous message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 1/11/2012 9:29 AM, M. Strobel wrote:
> Am 11.01.2012 01:31, schrieb Peter H. Coffin:
>> On Sat, 07 Jan 2012 18:27:15 +0100, Thomas Mlynarczyk wrote:
>>
>>> Jerry Stuckle schrieb:
>>>
>>>> Validating all input from the user is just good programming practice.
>>>
>>> And properly (!) escaping output (this includes stuff that goes into
>>> SQL queries). As I see it, these two simple measures should prevent
>>> 99% of all security vulnerabilities. I'd be interested in learning
>>> about the remaining 1% though.
>>>
>>>> Nothing new here - it just shows there are a lot of programmers out
>>>> there unconcerned with security.
>>>
>>> Indeed. But I don't understand why this is so. After all, we're not
>>> talking about the personal homepage of some newbie showing pictures
>>> of his dog and favourite cookie recipes. The problem exists also (if
>>> not especially) with real big professional sites, even sites where
>>> security is paramount (online banking), run by people who should have
>>> more than enough money to pay competent, security-aware programmers to
>>> do the job properly. I just don't get it.
>>
>> Good programmers and idiots are indistinguishable to anyone that is not
>> a good programmer. The people making the hiring decisions are not good
>> programmers. Ergo, idiots and good programmers get hired in proportion
>> to the frequency of each in the job market, and the idiots move on to
>> other positions far more frequently, voluntarily or involuntarily.
>>
>> Which also means that even if good programmers and idiots are in roughly
>> equal measure, the good programmers are not in the market for new jobs
>> nearly as often, make up a smaller portion of the market, and
>> not-programmers are unlikely to hire them by accident.
>>
>
> I agree.
>
> But beware the fallacy of the single cause. Good programmers and
> idiots can change under certain conditions - learn and un-learn
> good programming.

my 2 cent:

I seldom saw good programmers go downhill and become bad.

But a lot of bad programmers will never become good, because they lack
analytical skills. I do not know if it is nature or nurture (probably
both), but many people simply lack analytical skills.

>
> And even good programmers make compromises in their code under
> the pressure of time-to-market.

Yes, but good programmers complain clearly to the client/boss when they
are expected to deliver something complex in a short time.
Take some pride in your work!

I flat out refuse when I expect my work will suck. I do not mind some
healthy pressure, but when I am expected to take all kinds of
strange/stupid shortcuts, I simply refuse.
Unless you do drone-work, you must have some time to think and reflect
on the code you produce.

Regards,
Erwin Moller


--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Running function in the background?
Next Topic: Magic quotes? Should I still be cautious?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 19:08:18 GMT 2024

Total time taken to generate the page: 0.02648 seconds