Programming Paranoia

aaron_karp

Ok, so I'm a self-taught PHPer, born and raised on a steady diet of internet tutorials and php-builer.com. I'm a sophomore in college now, and just had my first day of my first non-c++ programming class, entitled: Web Programming (with html, javascript, and server-side programming).

I figured I'd be way ahead of the class, having built some pretty full-scale websites using PHP before.

However, the prof. was talking about web security, and "the sin of ommission," as he put it, and referred to how easy it was for someone to totally screw you over via your contact form, or pretty much any other web form if you don't check the value. As an example, he wrote something on the board like this:

;rm rf /

Now, I actually don't speak Unix very well, but I know that that has something to do with recursively deleting everything I own, although maybe not with that exact command.

Is this true? Are all of my sites completely vulnerable to malicious people who might do this? How can I make sure people don't throw stuff like this into my forms? I'm feeling awfully paranoid right now. Does anyone have any advice for me?

Weedpacket

My advice: stay paranoid. Never assume that what's hitting your server is at all legitimate or harmless.

I look at the sort of code being posted here and I wonder how civilisation can continue to exist. (My code shows vulnerabilities when I post because I get to the point and leave out distractions; I think a lot is being posted exactly as-is, holes and all.)

There's quite a nice guide on the subject available from OWASP.

aaron_karp

Wow this is fantastic, thanks

drawmack

I don't know weed, most of the stuff I post here is just example type stuff. Also I do my data validation in an oo class that works off of a table in the database. So I don't include that stuff when I post code up here.

This way I write it once and then only update as new volnuerabilities are discovered. I also have an update manager which when one of my core libraries, like my data validation library, gets updated it automatically updates in on every site I've used that class on.

I would assume that many seasoned professional have something similar and so this code is ommited from example functions and such that are posted on the boards.