Quoting "Monty J. Harder" [email protected]:
"Dave Hull" [email protected] wrote:
[snip]
you should check the user input and make sure it's sane, that it fits your application.
[snip]
That's not just 'secure' programming, but 'sane' programming. It is a maxim of the military that "No plan survives contact with the enemy." As a technical support veteran, I have formulated the analogous "No software survives contact with the user".
I agree. I was shocked when I listened to a former colleague of mine whine about users not inputing their phone number correctly on a web interface he had created. "I even put instructions right next to the fields explaining that they shouldn't input dashes or spaces or parentheses..." he said.
After he cooled down, I told him that he should never expect his users to read and/or follow directions. Don't trust, but verify. He'd never thought it through before, but I saw the scales fall away from his eyes.
Scary thing is, he had previously been writing code for a rather large new media company, building web sites with user interfaces.
Another web application I worked with recently was vulnerable to SQL injection resulting in theft of service. I told the primary developer about and he claimed that was only the case on the test server, I asked him if I could try it on the production system. With him watching over my shoulder I went through the exact same process and he couldn't believe it. He'd heard of SQL injection, but hadn't ever read anything about it.
As I dug deeper in their configuration, I determined that it was possible for an attacker to completely wipe out the database. It's amazing what you'll find in the wild.
-- Dave Hull http://insipid.com