Why Is Escaping Data Considered So Magical?

[Stephen Hansen]

On Fri, Jun 25, 2010 at 5:49 PM, Lawrence D'Oliveiro
<ldo at geek-central.gen.new_zealand> wrote:

> In message <slrni297ec.1m5.grahn+nntp at frailea.sa.invalid>, Jorgen Grahn
> wrote:
>
> > I thought it was well-known that the solution is *not* to try to
> > sanitize the input -- it's to switch to an interface which doesn't
> > involve generating an intermediate executable.  In the Python example,
> > that would be something like os.popen2(['zcat', '-f', '--', untrusted]).
>
> That’s what I mean. Why do people consider input sanitization so hard?


Its not that it is "hard", its that it has to be done with care: and when an
interface provides you two methods to pass it data, one that requires it to
parse a string to get at your data (thus requiring careful sanitization),
and one that is a direct channel where no parsing is required and the data
is directly passed through memory and bypasses the need for any sanitization
... preference for the latter seems pretty darn obvious to me.

Use a method that does not add an extra security concern to the application
or system = best practice.

When that method *also* provides positive performance characteristics on top
of alleviating a security concern, and even gets rid of a lot of data type
conversion details you shouldn't really need to worry about, well. Using
that method seems pretty much an obvious choice to me.

If the only reason not to use it is so you can produce ghoulish spaghetti
code like in the first post, I think that's a count in PQ's favor :)

--S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100625/e46d44e1/attachment-0001.html>