Menu
▾
▴
Re: [Owasp-input-api-developers] OO, Dumb Programmes, and Strongly-Typed Languages
|
From: vertigo <ve...@pa...> - 2002-06-20 02:20:19
|
On Tue, 18 Jun 2002, Matt Wirges wrote: > On Tuesday 18 June 2002 15:51, vertigo wrote: > > I am uncertain of the experience with and opinions toward OO > > that the group may have. > > There's nothing really wrong with OO. I believe the bulk of our target languages > support it (perl,python,asp,C++, Java, PHP, ruby) albeit Perl's OOP is dirty -- its pretty > much "stapled on", but it does work (though, if Perl6 ever becomes non-vaporware, this'll change). > > > The word "function" seemed to pervade > > the conversation, as in "wrap _EVERYTHING_ with one of our fun- > > ctions." The design I had in mind involved adding unfiltered > > parameters to a filter object, calling the filter() method, then > > retrieving filtered parameters from it, as in the following > > lines of code: > > Here's where I begin to disagree. The bulk of your web app developers (commercial or personal) > are not going to want tons of object instantiations and umpteen method invocations just to get one lousy > stinking "cleaned" piece of data. > True, and this is where we have to make some serious decisions. It's a fairly standard trade-off: performance for maintainability and extensibility. Write everything in assembly if you want speed (FDNY uses VAX assembly); I prefer to be able to read and maintain the code. Your standard webapp developers will not see the internals of the API--only the public interface (which may be fairly slim). Without reading the source, there's no way to tell how many methods are being called. Just because function calls have overhead doesn't mean we should abandon their use. On the other hand, if the API is slow, people may not want to use it in existing apps that are already slow. I think this problem goes directly to the heart of secure systems. Security adds overhead, whether it is SSL or Snort. Is the overhead acceptable? Is the additional time taken to filter input less of a problem than a successful attack? Ooops, forgot about something. Will continue later Nathan |
