On Mon, 2010-11-29 at 19:52 +0100, Sylvain Beucler wrote: > On Mon, Nov 29, 2010 at 01:44:33PM -0500, Paul Smith wrote: > > On Mon, 2010-11-29 at 19:34 +0100, Sylvain Beucler wrote: > > > What I know is there's been a SQL injection leading to illegitimate > > > membership access > > > > Oh blerg. The prevalence of these types of very simple (to avoid and to > > fix) mistakes even on technical sites makes me despair. > > I spend several weeks patching hundreds of DB queries to attempt to > get rid of them. That's not so easy because apparently I managed to > miss a couple. Sure, it's easy to avoid when you rewrite from > scratch, but we're talking about legacy code whose rewrite is not > finished yet.
I didn't mean to disparage anyone's efforts; mine was more a general comment that even conceptually straightforward problems (unlike, say, cross-site scripting or something) seem so hard to avoid in the real world. I really don't know anything at all about Savannah or how it's coded. I haven't messed with a web site in so long that the last time I did, the backend was all Perl CGI. However, it was easy to avoid injection issues because (a) Perl has "taint mode", and (b) Perl has great support for databases through DBI, which make it simple to automatically quote strings appropriately, etc. Between those two it's not hard to be robust in the face of injection... assuming whomever is writing the code in the first place is paying the least amount of attention. Not a safe assumption I grant you. Looking forward to the next news update, thanks Sylvain! -- ------------------------------------------------------------------------------- Paul D. Smith <[email protected]> Find some GNU make tips at: http://www.gnu.org http://make.mad-scientist.net "Please remain calm...I may be mad, but I am a professional." --Mad Scientist
