How about "only pass user-sourced data in parameters"? So anything that isn't a ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

Dylan16807 on Dec 1, 2010 | parent | context | favorite | on: Main GNU source repository server compromised

How about "only pass user-sourced data in parameters"? So anything that isn't a parameter is coming from the app, possibly as a response to user data, but not actually from user data. This statement seems just as powerful as the original. Anything misleading about it? Somewhere you can't use parameters and can't simply use app-supplied query pieces?

tptacek on Dec 1, 2010 [–]

You see how we're converging on "just use proper input validation", which is the all-time least useful piece of advice in software security?

Dylan16807 on Dec 2, 2010 | [–]

Because input validation is hard to do. A rule to not pass input EVER (outside of parameters), even in a supposedly validated form, is something different.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact