[thelist] Form Security

Bill Moseley moseley at hank.org
Mon Jul 19 15:23:41 CDT 2010


On Mon, Jul 19, 2010 at 12:02 PM, Frank Marion <lists at frankmarion.com>wrote:

> On 2010-07-19, at 9:16 AM, Luther, Ron wrote:
>
>>
>> 1) Security and convenience are the opposite ends of a scale. You'll have
> to determine where between the two you want the marker to sit.
>

I'm not sure I follow that.  Actually, I think when using good coding
practices (i.e. a good secure framework and centralized validation)
convenience and security are on the same end of the scale.   But, I suppose
you mean something else.



> 2) You can have it fast, cheap, or well done. Pick two.


Seems like the choices are 1) fast and cheap or 2) well done.    I have not
seen that throwing money at a problem always makes it well done (or fast).



>  (1) I think a lot of forms development folks get overly aggressive and
>> hung up on input completeness and validation.  While that may be mandated by
>> management, it [IMVHO] can come across as bloody annoying on the user end of
>> the stick.  There actually IS a difference between a "required" field ...
>> and a field people simply "want" populated.  Please don't confuse the two.
>>
>
> Again, total agreement. But even a field such as an optional feedback
> comments field on, say, an order requires security checking. You do want to
> strip out or neutralize anything that is potentially harmful such as
> sql-injection attacks. The very simplest way to do that is to force it to a
> non-evaluate string. Doesn't need to be required, but it should still be
> processed for security, and frankly, it's easy. If it's not required, we
> still need to check it's type. 1+1 and "1+1" have two different effects when
> passed to an SQL statement.


What's an "non-evaluate string"?



-- 
Bill Moseley
moseley at hank.org


More information about the thelist mailing list