Re: Sanitizing text being stored in text fields - some characters cause problems
| От | Steve Crawford |
|---|---|
| Тема | Re: Sanitizing text being stored in text fields - some characters cause problems |
| Дата | |
| Msg-id | 4F480C96.8050004@pinpointresearch.com обсуждение исходный текст |
| Ответ на | Re: Sanitizing text being stored in text fields - some characters cause problems (Tanstaafl <tanstaafl@libertytrek.org>) |
| Список | pgsql-novice |
On 02/24/2012 01:14 PM, Tanstaafl wrote: > Thanks very much Steve for the candid response, and more importantly > the links to get us started down the straight and narrow... > > I will be taking this all to heart, and have already scheduled a 'come > to Jesus' meeting for Monday for the Project Manager. Don't take anyone out to the woodshed. Yet. Though I consider sanitizing input a basic part of programming, some recent surveys have found that many if not most college and university programming courses give only a passing look at security if they discuss security at all. I have no inkling about the nature of your organization or where you fit in it. As a general guide, you may be dealing with multiple issues: 1. Lack of experience and training. This can be addressed with appropriate mentoring, training, etc. The overall development process can play a role here. Code reviews are a good way of locating problems and, in the process, educating programmers. You don't want code reviews to be adversarial but rather team-oriented and educational. Nonetheless, they fact that someone will be reviewing your code is a deterrent to taking short-cuts. 2. Laziness and sloppiness. If you have someone who, for whatever reason, can't be bothered with secure programming then perhaps they need to find another place to work. Even if they are the "productive" prima-donna. 3. Misaligned incentives or unrealistic expectations. This is the hardest to tackle as it requires managerial discipline, patience and understanding that is both visible and constant. It's easy to have the "come to Jesus" meeting then immediately slip back into "we have to have it by tomorrow", "the sales-guy is yelling that his commission is on the line", "the client needs it yesterday - we'll have to skip the code-review". It takes managers who will push back and tell their superiors "we can't have it till end-of-month". Products are visible. Security isn't. It takes an understanding that security isn't free. Training and mentoring take time. Code reviews take time. Testing takes time. But at least when "Charles O'Leary" visits your site it won't croak and with luck you will stay off the front page of the Times. Cheers, Steve
В списке pgsql-novice по дате отправления: