|
-
June 9th, 2005, 02:28 PM
#24
Originally posted here by Soda_Popinsky
Limiting where the attacks can hit is the point! Isn't it?
In some respects yes, but what I'm saying is that to believe you have fixed a problem merely by limiting where it can occur *when certain permissions are required* is flawed thinking.
Originally posted here by catch
One point that I thought was clear but there seems to be some confusion about. Most web applications are not a single application, but a series of smaller applications working together. (This site for example uses "newreply.php" and "showthread.php" among others, consequently least privilege and RBAC applies even though they may be subcomponents of the same web application.)
Actually, this shows your lack of knowledge of general web development best practices, of which vBulletin tries to adhere. Generally, all of these pages INCLUDE the actual code that is being used to interface with the DB, and therefore, there is usually only a few library-style scripts dealing with the database.
chsh, what part of "I do not wish to argue this point with you further" was unclear? You're trolling, that much is clear. You made a point about how minimizing exploits was not the right approach, then flip-flopped after it was pointed out that is all any security mechanism do.
It's all well and good to say you don't wish to argue the point further, but I am allowed to freely post here, so deal with it. What I am doing here is trying to explain to you why you are incorrect in specific thinking as to how webapps are generally written. You bust out your "years of experience" earlier, however they're IME irrelevant when it comes to web software design -- no, ESPECIALLY as pertains to web software. Barring Java Servlets or ASP.NET, almost all web languages I've encountered are written in wholly different ways than regular applications due to the communication medium differences, etc... What it boils down to is, I have experience in this, it is contradictory to some of what you are saying. If that is trolling so be it, I'm a troll. At least I'm a troll with a clue.
Clearly nothing more can come of this conversation with you. You have made your points and I mine, the readers can decide what they think has value without drawing this out in a round and round conversation.
Perhaps you're once again proving the criticisms that have been levelled against you are accurate?
Since I'm now a troll, I can freely say things like:
I'm still waiting for your patch to PHPNuke Catch, I'm looking forward to seeing how long it took you.
Go back to managing your underlings, if you even have any.
And so on...
Originally posted here by slarty
I disagree strongly. Data validation needs to be different on a field-by-field basis, therefore it can't be applied by a "shared library or include file" to a web site.
No, it needs to be done on a data type basis, not field by field. At most you would need about maybe 50-60 functions in your average web language, maybe more in others where you are storing serialized object data and so forth.
However, applying such routines across the board in an already-existing complex system, is extremely time-consuming and error prone.
Time consuming, yes. Error prone can be dealt with through testing. You are checking your work, right?
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote