Menu
▾
▴
chiphpug-discuss
|
From: Kenneth D. <ke...@se...> - 2007-09-26 10:55:26
|
*From: http://www.eweek.com/article2/0,1759,2188714,00.asp Q: How can sites protect themselves against SQL injection? A: *The best defense is to design your database-backed Web site properly to make sure it always separates SQL code and user data. You basically have a choice between programming tools that are specifically designed to prevent you from making this kind of mistake and those that allow you to get into trouble if you're not careful. Roughly speaking, this corresponds to the difference between the newer Microsoft .Net tools and their older tools or open source frameworks like PHP. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 |
|
From: Hank M. <hma...@gm...> - 2007-09-26 13:22:56
|
To be fair, the next q/a ... is more balanced, though depending on which choir you're preaching to it means different things ... *Q: Are you saying that sites built with open source tools like PHP are more vulnerable to SQL injection attacks than sites built with .Net? A: *It's a question of mentality. Microsoft's mindset is to fix things in such a way that the user doesn't have so much control and is therefore less vulnerable. The open source tools like PHP have a different philosophy. They assume that users know what they are doing and want to be free of constraints, so these tools let users do what they want but at their own risk. The open source tools assume that developers these days are aware of the threat of SQL injection and will do the right thing. On 9/26/07, Kenneth Downs <ke...@se...> wrote: > > *From: http://www.eweek.com/article2/0,1759,2188714,00.asp > > Q: How can sites protect themselves against SQL injection? > A: *The best defense is to design your database-backed Web site properly > to make sure it always separates SQL code and user data. You basically > have a choice between programming tools that are specifically designed > to prevent you from making this kind of mistake and those that allow you > to get into trouble if you're not careful. Roughly speaking, this > corresponds to the difference between the newer Microsoft .Net tools and > their older tools or open source frameworks like PHP. > > -- > Kenneth Downs > Secure Data Software, Inc. > www.secdat.com www.andromeda-project.org > 631-689-7200 Fax: 631-689-0527 > cell: 631-379-0010 > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > chiPHPug-discuss mailing list > chi...@li... > https://lists.sourceforge.net/lists/listinfo/chiphpug-discuss > |
|
From: Kenneth D. <ke...@se...> - 2007-09-26 13:25:48
|
Yeah I guess to this choir member the next paragraph was worse :( Hank Marquardt wrote: > To be fair, the next q/a ... is more balanced, though depending on > which choir you're preaching to it means different things ... > > *Q: Are you saying that sites built with open source tools like PHP > are more vulnerable to SQL injection attacks than sites built with .Net? > A: *It's a question of mentality. Microsoft's mindset is to fix things > in such a way that the user doesn't have so much control and is > therefore less vulnerable. The open source tools like PHP have a > different philosophy. They assume that users know what they are doing > and want to be free of constraints, so these tools let users do what > they want but at their own risk. The open source tools assume that > developers these days are aware of the threat of SQL injection and > will do the right thing. > > > > On 9/26/07, *Kenneth Downs* <ke...@se... <mailto:ke...@se...>> > wrote: > > *From: http://www.eweek.com/article2/0,1759,2188714,00.asp > > Q: How can sites protect themselves against SQL injection? > A: *The best defense is to design your database-backed Web site > properly > to make sure it always separates SQL code and user data. You basically > have a choice between programming tools that are specifically designed > to prevent you from making this kind of mistake and those that > allow you > to get into trouble if you're not careful. Roughly speaking, this > corresponds to the difference between the newer Microsoft .Net > tools and > their older tools or open source frameworks like PHP. > > -- > Kenneth Downs > Secure Data Software, Inc. > www.secdat.com > <http://www.secdat.com> www.andromeda-project.org > <http://www.andromeda-project.org> > 631-689-7200 Fax: 631-689-0527 > cell: 631-379-0010 > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > chiPHPug-discuss mailing list > chi...@li... > <mailto:chi...@li...> > https://lists.sourceforge.net/lists/listinfo/chiphpug-discuss > > -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 |
|
From: Arlo L. <ar...@ar...> - 2007-09-26 13:35:36
|
Hi all, > A: *It's a question of mentality. Microsoft's mindset is to fix things in > such a way that the user doesn't have so much control and is therefore less > vulnerable. I've been teaching classes on Microsoft software lately, and I think that neatly sums up their approach to usability in general. Try to guess what the user wants, implement a complex interface for carrying it out, and make any alternatives difficult to find. From what I've seen, this is easier for users who don't understand basic software concepts, but it also prevents them from learning the basic concepts. In a way, it's comforting to see that this is an intentional strategy; I always figured it was just sloppy design. Cheers, -Arlo _______________________________ Arlo Leach 773.769.6106 http://arlomedia.com Make friends with your computer http://compyschool.com |
|
From: Neil Y. <ny...@as...> - 2007-09-26 13:49:58
|
Hello all - I've been lurking on this mailing list for several weeks, = but that article irks me into the open. =20 I'm frustrated that he not only attacks PHP, open source and older = languages using ASP.NET as the standard for good security. How can a security = expert keep a straight face when starting a sentence with "Microsoft's mindset = is to fix things..." .NET is just as likely to result in SQL injection in = the hands of a novice as any other language. I also am angered at his assertion that the latest batch of college = educated developers will be better prepared to tackle the problem of SQL = injection. Most programmers fresh out of college know little to nothing about real world problems like SQL injection, usually having barely mastered the = basics of iteration and OO design. =20 Neil ---------- Neil Young ASA Sales Systems -----Original Message----- From: chi...@li... [mailto:chi...@li...] On Behalf Of = Kenneth Downs Sent: Wednesday, September 26, 2007 5:55 AM To: chiphpug-discuss Subject: [chiPHPug-discuss] Not so subtle attack on PHP *From: http://www.eweek.com/article2/0,1759,2188714,00.asp Q: How can sites protect themselves against SQL injection? A: *The best defense is to design your database-backed Web site properly = to make sure it always separates SQL code and user data. You basically=20 have a choice between programming tools that are specifically designed=20 to prevent you from making this kind of mistake and those that allow you = to get into trouble if you're not careful. Roughly speaking, this=20 corresponds to the difference between the newer Microsoft .Net tools and = their older tools or open source frameworks like PHP. --=20 Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 -------------------------------------------------------------------------= This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ chiPHPug-discuss mailing list chi...@li... https://lists.sourceforge.net/lists/listinfo/chiphpug-discuss |
|
From: Jason R. <ja...@ho...> - 2007-09-26 14:43:39
|
Indeed.. Although I do actually agree with some aspect of the ".NET shackles you, LAMP expects that you know what you're doing" sentiment. I don't think .NET helps with SQL injection attacks specifically, however, but MS approaches in general tend to be "proscribed or impossible". I would not say, however, that this has had any positive impact on security. I am also continually frustrated with the poor quality of code I come across in lots of areas. I dont think "kids these days" are any better prepared for the realities of multi-system, multi-component architectures than they were at any other point in recent years. I will say that PHP, Perl and Python are all powerful languages. And with great power comes great sharp, pointy edges and lots and lots of rope. But I am fond of rope.. Neil Young wrote: > Hello all - I've been lurking on this mailing list for several weeks, but > that article irks me into the open. > > I'm frustrated that he not only attacks PHP, open source and older languages > using ASP.NET as the standard for good security. How can a security expert > keep a straight face when starting a sentence with "Microsoft's mindset is > to fix things..." .NET is just as likely to result in SQL injection in the > hands of a novice as any other language. > > I also am angered at his assertion that the latest batch of college educated > developers will be better prepared to tackle the problem of SQL injection. > Most programmers fresh out of college know little to nothing about real > world problems like SQL injection, usually having barely mastered the basics > of iteration and OO design. > > Neil > > ---------- > Neil Young > ASA Sales Systems > > > -----Original Message----- > From: chi...@li... > [mailto:chi...@li...] On Behalf Of Kenneth > Downs > Sent: Wednesday, September 26, 2007 5:55 AM > To: chiphpug-discuss > Subject: [chiPHPug-discuss] Not so subtle attack on PHP > > *From: http://www.eweek.com/article2/0,1759,2188714,00.asp > > Q: How can sites protect themselves against SQL injection? > A: *The best defense is to design your database-backed Web site properly > to make sure it always separates SQL code and user data. You basically > have a choice between programming tools that are specifically designed > to prevent you from making this kind of mistake and those that allow you > to get into trouble if you're not careful. Roughly speaking, this > corresponds to the difference between the newer Microsoft .Net tools and > their older tools or open source frameworks like PHP. > |
|
From: Kenneth D. <ke...@se...> - 2007-09-26 18:17:54
|
Jason Rexilius wrote: > Indeed.. Although I do actually agree with some aspect of the ".NET > shackles you, LAMP expects that you know what you're doing" sentiment. > > I don't think .NET helps with SQL injection attacks specifically, > however, but MS approaches in general tend to be "proscribed or > impossible". I always liked the way Heinlein said it, when speaking of some societies: "Whatever is not encouraged is forbidden." -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010 |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X