> I still find it incredible that in 2012 there are people who > consider themselves professional developers who downplay security > concerns, and who ignore basic security practices. There are groups of > people with advanced PhDs in computing, networking and cryptography who > do nothing but figure out how to break into systems who are in the employ > of various nations and corporate espionage companies, and yet a lone > programmer with some knowledge of one or two development tools is going > to outsmart them. > > I can't decide if it's hubris, stubbornness, or just sheer ignorance.
Having spent decades dealing with government bureaucracies overseen by people with PhDs and MDs with their own decades of experience of doing whatever, and working in a field that advocates for people who have regularly been literally injured or killed by such people, I have to say that I am not impressed by appeals to authority. The rate at which these people screw up, badly, is extremely high. The rate at which allegedly very highly qualified and experienced computer programmers screw up is also very high, as shown voluminously by Microsoft, and to a lesser extent by other entities. I will leave comments about the extent to which academic "computer science" has any relevance or usefulness to the day-to-day activities of programmers to another discussion. :) I live in a practical world. I write very specific types of applications for very specific audiences. The risks, benefits, and costs that apply to my situation do not apply to other situations. There are no one-size-fits-all solutions. There is also no complete agreement on what it takes to protect against SQL injection. Lots of alleged "experts" claim all you need is to parameterize your queries. Lots of other alleged "experts" claim you should use a multiple belt-and-suspenders approach that includes sanitizing user input before passing it to the back end. I cannot logically see why, if you've sanitized your input once, you need to do it again. I also cannot understand why anybody would sing the praises of an "expert" who designed a SQL query language that requires single quotes to be escaped in strings, ALWAYS, for reasons that have NOTHING TO DO with security, but who am I, a mere mortal, to question the gods? I freely confess to ignorance. I am also a very practical person. I am willing to learn and change what I do, as long as the risk/cost/benefit calculation makes sense. My applications do not handle money or credit information or anything else that criminals would have incentives to steal. My applications are not available over the web. I do not need to write code that protects against every single possible hack that somebody could come up with. If, as Stephen seems to suggest, I can populate an object with user input and pass it to another object that inserts the values into a query as ? parameters without doing violence to my ability to dynamically structure the query based on the situation, and thereby avoid maintaining hundreds of static queries or views or stored procedures, I will do that. But in my situation, the amount of work and headache involved in writing maintaining static queries far exceeds the amount of work it takes to sanitize user input to the extent necessary for my particular audience. I will not do the former merely to protect against shadowy threats that cannot be demonstrated to exist in my situation. And I do not accept the notion that healthy skepticism about the pronouncements of "experts" and "authorities" who insist that something "can't be done" is evidence of stubbornness or hubris. I, and the people I work with and for, have been burned, badly, far too many times by such people. I have no interest in protecting their egos. Ken Dibble www.stic-cil.org _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
