Re: Serious 7.2 issue (non quiet string truncation)

On Mon, Feb 18, 2002 at 03:28:15PM -0500, Rod Taylor wrote:
> Why can't you truncate the string yourself.
> 
> Take atleast one of these actions:
> 
> 1.    Limit the forms themselves to the length in question:
> <input type="text" size="50" />

An attacker could circument this by not going through the webform.
While it's doubtful such an attack would cause an exploitable
condition in a language like PHP, it's still better to check
post-submission...

> 2.    Use trim the string to length in the code (php below):
> $string = substr($string, 0, 50);

like this.

> 3.    Have the INSERT truncate the string:
> INSERT INTO table (col1) VALUES (substring('valuetoinsert', 1, 5));
> 
> 
> Any of the above (or all of the above) will accomplish what you
> require.  I personally suggest both 1 and 2.  But 3 can be used if
> necessary.

1 and 2, as you say.

Otherwise some day you convert your code over to C and forget to
truncate, and you may be exploitable.

-- 
David Terrell            | "Science is like sex: sometimes
dbt@meat.net             | something useful comes out, but
Nebcorp Prime Minister   | that is not the reason we are
http://wwn.nebcorp.com/  | doing it" -- Richard Feynman