Tag Cloud
My Reading List
This is a list of books currently on my To Read shelf... literally. I do not suggest or anti-suggest any of them at this time as I haven't read them yet.
- Agile Project Management with Scrum
- Beautiful Code
- Code Reading
- Databases in Depth
- Essential Business Process Modeling
- Good to Great
- Head First PMP
- Making Things Happen
- Manage It!
- Mind Hacks
- Practical Django Projects
- Prioritizing Web Usability
- Regular Expression Recipes
- Software Project Survival Guide
- The No Asshole Rule
Links of Interest
Current Efforts:
Blue Parabola, LLC
web2Project
PHP'ers:
Ben Ramsey
Brandon Savage
Cal Evans
Eli White
Elizabeth Naramore
Joe LeBlanc
Matthew Turland
Matthew Weier O'Phinney
Planet PHP
Tony Bibbs
Business/mISV:
Bob Walsh
Eric Sink
Gavin Bowman
Guy Kawasaki
Joel Spolsky
Micah Baldwin
Paul Graham
Planet mISV
Past Projects:
CodeSnipers
HOBY
Judicial Watch
mobile FoxNews.com
NRTW
Great Tools I use:
Drupal
GitHub
phpUnit
Subversion
Zend Framework
User login
Search
Upcoming Events
Welcome
This is not the home of dotProject or web2project. It is the home of CaseySoftware, LLC. Any dotProject support questions should be referred to their support forums.
Recent blog posts
Items of Interest
Recent comments
- Defintely Maybe
1 week 1 day ago - Environmental Info?
1 week 2 days ago - thanks
2 weeks 3 days ago - nice post
2 weeks 4 days ago - So...
4 weeks 6 days ago - Data versus Observations
5 weeks 1 day ago - is management art or science?
5 weeks 5 days ago - Different kind of start up
6 weeks 2 days ago - A good example!?
7 weeks 4 days ago - Fantastic
7 weeks 4 days ago
Popular content
Today's:
Ads
Date: 4 May, 2009 - 04:06
Recently I taught a class of bright-eyed, bushy-tailed PHP'ers just getting their start in the world. They haven't done their first production application and we were working in the "safe" confines of a classroom, but there was one concept that I pounded into their heads:
Don't Trust the Users
It may sound harsh but:
It's not that they're malicious, though they might be...
It's not that they're incompetent, though they might be...
It's not that they're ignorant, though they might be...
In fact, there's absolutely nothing "wrong" with 99.9% of your users... or maybe even 99.999% of your users. But all it takes is one user with any of the above qualities combined with a poorly designed application and you're going to have a bad day. For lack of being able to say it better, I defer to Chris Shiflett and use his phrase (with credit of course):
That's it. If you stick to these two principles and apply them consistently and rigorously, you'll protect yourself from the vast majority - but not all* - vulnerabilities. But there are two tips to remember:
Be sure to identify what is provided by the user and what is not. Most people know of form entries and anything on the url, but many people forget that PHP_SELF is not safe.
On the other side, be sure you understand what "output" means. Everyone thinks of the webpage first and some stop there. Odds are you have a variety of other output sources such as email, reporting tools (even pdf), logging tools, and even various Web Services or APIs. Output is more than what gets displayed to a user.
* Unfortunately, the only way to make a site truly and 100% secure is to remove anything remotely interactive - forums, blogs, email forms, comments, logins, ecommerce, etc, etc - which makes for a pretty boring site.
Thanks for sharing information
Nice article, I was looking for these kind of information on software development.
Please continue writing....
Thanks
Post new comment