There is only one way to avoid Bobby Tables attacks:
Use parameterized SQL calls.
That's it. Don't try to escape invalid characters. Don't try to do it yourself. Learn how to use parameterized statements. Always, every single time.
The strip gets one thing crucially wrong. The answer is not to "sanitize your database inputs" yourself. It is prone to error.
fatbird, here's where I explain how computers and networks work, again. (Last time it was 802.11)
You enter an address into your browser
Your browser contacts the server and says "may I have this page please"
The server may respond in one of several ways:
Yes, here it is
No, but if you give me a password I might let you
We have computers to automate these processes and they follow our instructions just as an employee at my front desk might follow my instructions on what information to give out to different visitors.
If I explicitly set up a Web server, explicitly place documents or resources on it, and explicitly give those files out when asked for, it's hard to simply call this "a failure to completely secure" let alone how it isn't exactly "an implicit grant of permission to access it". You are right on one thing though, it isn't an implicit grant; it's an explicit one.
Okay, vsync, so here's the URL I try on this site: http://www.metafilter.com/../../../etc/shadow
If it works because they're using an older version of Apache that hasn't patched all its directory traversal holes, is that an explicit grant of permission to retrieve the shadow password file?
Where you're talking about explicitly granting permission, these two sentences contradict each other. You can't explicitly do something that you don't intend to do.
It's worth pointing out that directory traversal holes[...irrelevant tangent elided]
But all the high-minded technologists here pointing the finger at AT&T are, essentially, blaming the victim.
I found many almost current examples of PHP code allowing the same thing
pwnguin mentioned Wordpress theme hacks. Not only do you need to trust the Apache guys, the PHP guys, and the Wordpress guys that they've written secure software, but the guy from whom you bought a theme as well.
There's a lot of links in that chain, and saying "if it's available by URL, then it's your fault for not securing it properly" is creating an absurdly high standard of strict liability for security breaches, such that no one who hacked your server would ever be found guilty.
Given that the general use of URLs is that they're provided to be clicked on, if you're generating URLs, then you're already across a line as to normal usage.
« Older As if ticks weren't awful/awesome enough already, ... | The Ten Least Influential Peop... Newer »
This thread has been archived and is closed to new comments
Buy a Shirt