[thelist] SQL Update CORRECTION
Jason Robbins
evolt at whisky-fudge.org.uk
Fri Jul 16 17:06:55 CDT 2004
John.Brooking at sappi.com wrote:
>>From the Security chapter of O'Reilly's "CGI Programming with Perl", 2nd
> Edition (I think the concept applies here too):
>
> "The right way is not to make a list of what to disallow. The right way is
> to make a list of what to allow. This makes the solution much more
> manageable. If you start by saying that anything goes and looking for those
> things that cause problems, you will spend a long time looking. There are
> countless combinations to check. If you say that nothing goes and then
> slowly add things, you can check each of these as you add them and confirm
> that nothing will slip past you. If you missed something, you have
> disallowed something you should allow, and you can correct the problem by
> testing it and adding it. This is a much safer way to error."
>
> "... It's never a good idea to simply trust someone else who provides you a
> 'definitive' list ... to check against. You are the one who is accountable
> for your code, so you should fully understand why and how your code works,
> and not place blind faith in others."
It is sound advice and the same advice I give to everyone I meet but not
always practical! Time and quick solutions are often the ones that are
need even if they are not the better of solutions.
Jas
More information about the thelist
mailing list