Trust Nobody
One important lesson when developing applications (I’m focusing on websites here, but this applies to all types of applications) is to ditch user trust.
In a nut shell, do not trust any input you receive from a user. Seriously, do not assume it is clean and good, treat all user input (whether it be cookies, text from a text box or something else) as potentially dangerous. Check it, filter it, escape it.
Never let input from a user go straight into your database or on to a page without it being filtered. If you let it straight into the database you leave yourself open to SQL Injections and other attacks.
This is why you should clean up all input. (Click for bigger version)
Keep that in mind when you are developing an application, any and all user input needs to be checked out, torn to pieces, ripped apart, put back together before being considered safe.
January 16, 2010 - 5:29 pm
I was fascinated to learn about SQL injections @ uni last year, and it really does nail the point home…don’t trust anything that can be inputted!
Like or Dislike:
+1
January 16, 2010 - 5:42 pm
Absolutely. I’ve gotten in the habit of covering those bases, so the sites I write now are pretty good at not allowing injection (had a friend try attacking xD).
Never trust the user! (Something a lot of Gaia exploits come from, trusting the user too much!)