Home > Archive > PERL CGI Beginners > October 2005 > Book Recommendation: Secure web programming ?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Book Recommendation: Secure web programming ?
|
|
| Randy W. Sims 2005-10-04, 3:55 am |
| I know perl. I know some basics of web/CGI programming, but haven't done
anything where security really matters. Could anyone recommend books or
references that discuss real-world web programming, that show the right
way to create secure sites? Topics like creating logins, varying levels
of access rights (some can edit, some can view, some have limited
views), different methods of storing information & storing user data
(plain file, DBM, DBMS; strengths/weaknesses), what issues arise in
using web hosting vs having your own server.
Also, are there any particularly good general web development books you
highly recommend?
Thanks,
Randy.
| |
| Elfyn McBratney 2005-10-08, 6:55 pm |
| Hiya Randy,
On Tue, Oct 04, 2005 at 03:30:23 -0400, Randy W. Sims wrote:
> I know perl. I know some basics of web/CGI programming, but haven't
> done anything where security really matters. Could anyone recommend
> books or references that discuss real-world web programming, that
> show the right way to create secure sites? Topics like creating
> logins, varying levels of access rights (some can edit, some can
> view, some have limited views), different methods of storing
> information & storing user data (plain file, DBM, DBMS;
> strengths/weaknesses), what issues arise in using web hosting vs
> having your own server.
I used to have a link to a very good (online version) of a web-based
security book around, but can no longer find it, so I'll share some
pe[a]rls ;) I use when working on perl/CGI web-apps:
* If at all possible, use perl's built-in taint-mode - see the
man-page for `perlsec' for more info on this. With taint-mode
enabled, all input is tainted by default until verified to be
`correct'.
* Escape [shell] `meta'-characters - `"', `;', '|', etc. - in all user
input. This is especially important if you hand-off user-supplied
input to an external program (for example, `sendmail');
* Finally, don't black-list, white-list. In other words, don't check
for badly-formed, or `illegal' data, check for valid and correct
data. There is just a never ending list of things that'll need
black-listing (what with new types of exploits coming out daily (in
certain areas)), and you'll always be playing catch-up if you go the
reverse route.
> Also, are there any particularly good general web development books
> you highly recommend?
If I find that link (or remember the name of the book), I'll reply with
it. :)
Best,
Elfyn
--
Elfyn McBratney
Gentoo Developer/Perl Team Lead
beu/irc.freenode.net http://dev.gentoo.org/~beu/
+------------O.o--------------------- http://dev.gentoo.org/~beu/pubkey.asc
PGP Key ID: 0x69DF17AD
PGP Key Fingerprint:
DBD3 B756 ED58 B1B4 47B9 B3BD 8D41 E597 69DF 17AD
| |
| Randal L. Schwartz 2005-10-08, 6:55 pm |
| >>>>> "Elfyn" == Elfyn McBratney <beu@gentoo.org> writes:
Elfyn> * Escape [shell] `meta'-characters - `"', `;', '|', etc. - in all user
Elfyn> input. This is especially important if you hand-off user-supplied
Elfyn> input to an external program (for example, `sendmail');
Even better, don't let such things get near a shell. Use multi-arg exec
or system, or multi-arg open to fork-and-pipe.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
|
|
|
|
|