PDA

View Full Version : [OT] Coding Errors


Riddle
13-01-09, 16:18
One for all you code monkeys out there.....or would be hackers http://neocron.jafc.de/images/smilies/old//lol.gif

Top 25 Most Dangerous Coding Mistakes (http://news.bbc.co.uk/2/hi/technology/7824939.stm)

I wonder if they have ever seen NC http://neocron.jafc.de/images/smilies/old/angel2.gif No errors, just features!
naimex
13-01-09, 16:29
cute :)
SilentEye
13-01-09, 16:36
Very cool! :D The list doesn't mean anything to me but, what ever :D
Asurmen Spec Op
14-01-09, 02:24
I have to say that most of those are 'duh'.
I mean really, not validating user input?
naimex
14-01-09, 02:27
I have to say that most of those are 'duh'.
I mean really, not validating user input?

I think they are referring to " ' and lack of mysql_real_escape_string strip_tags htmlentities and md5


Don't think they mean the you didn't fill out a correct email address please enter something with *@*.*
CMaster
14-01-09, 02:39
I think they are referring to " ' and lack of mysql_real_escape_string strip_tags htmlentities and md5


Don't think they mean the you didn't fill out a correct email address please enter something with *@*.*

You mean this kinda thing?:
http://imgs.xkcd.com/comics/exploits_of_a_mom.png

I recall seeeing a forum once that people had fucked up as it didn't filter HTML at all. Even in titles. So it had javascript popus and images all over the index page.
Asurmen Spec Op
14-01-09, 03:09
I think they are referring to " ' and lack of mysql_real_escape_string strip_tags htmlentities and md5


Don't think they mean the you didn't fill out a correct email address please enter something with *@*.*
well theres your problem, php.

I'm not saying those aren't issues, Im saying they are obvious. If you don't verify the sanity of your data then you deserve what you get, like good ol bobby tables.
naimex
14-01-09, 04:02
You mean this kinda thing?:
http://imgs.xkcd.com/comics/exploits_of_a_mom.png

I recall seeeing a forum once that people had fucked up as it didn't filter HTML at all. Even in titles. So it had javascript popus and images all over the index page.

ye, exactly that.


You'll find those security holes on like 90 % of all php files with a mysql connection.



I hate asp enough for it's inflexibility and awkwardness enough to take the extra hassle of putting some nice wrapper on my php codes :)
Asurmen Spec Op
14-01-09, 05:16
ye, exactly that.


You'll find those security holes on like 90 % of all php files with a mysql connection.



I hate asp enough for it's inflexibility and awkwardness enough to take the extra hassle of putting some nice wrapper on my php codes :)
php is a language that sells itself to terrible programmers terribly well.
ex: \ as a namespace separator(this is wrong on a variety of levels)
magic quotes
mysql_real_escape_string / mysql_escape_string
etc...
naimex
14-01-09, 09:41
php is a language that sells itself to terrible programmers terribly well.
ex: \ as a namespace separator(this is wrong on a variety of levels)


I don't use that feature. it's misleading and in most applications with code highlighting it will show the wrong color, which is just annoying when you're sitting with 3k+ line files.


But yea, php has its flaws and such too, I'm just of the opinion that even though asp doesn't have as many flaws, it has more limitations than php does.

And atleast where I work, even php's limits are being pushed to do weird things.
StevenJ
14-01-09, 22:55
Top 25 Most Dangerous Coding Mistakes (http://news.bbc.co.uk/2/hi/technology/7824939.stm)

I scored 19/25! What do I win? :D

(kidding... :P)
Asurmen Spec Op
14-01-09, 23:38
I don't use that feature. it's misleading and in most applications with code highlighting it will show the wrong color, which is just annoying when you're sitting with 3k+ line files.


But yea, php has its flaws and such too, I'm just of the opinion that even though asp doesn't have as many flaws, it has more limitations than php does.

And atleast where I work, even php's limits are being pushed to do weird things.
Don't even get me started on .NET
Brammers
15-01-09, 00:38
There is one mistake all the coders here are guilty of - CWE-20:Improper Input Validation
aKe`cj
15-01-09, 01:48
There is one mistake all the coders here are guilty of - CWE-20:Improper Input Validation

It's funny and sad how many people dont even validate form data when it doesnt come from a user input field, but from a hidden one. :)
Asurmen Spec Op
15-01-09, 06:18
It's funny and sad how many people dont even validate form data when it doesnt come from a user input field, but from a hidden one. :)
Assuming web stuff, if you don't validate everything that you get from POST/GET, then you are really asking for it.