Let's talk about one specific thing from the article:
>Things started to go awry when he first registered the tags. He tried typing in his license plate but the DMV website wouldn't accept it.
Let's talk about the fact that the DMV website wouldn't accept it. Do you think this is all right behavior on the part of the DMV website?
It's really interesting because if you're coding up the DMV web site, it makes sense to disallow NULL just as a preventative measure, like not allowing '-- in a query (to prevent SQL injection attacks.)
I would generally think that on the whole you should accept -- as a substring in a password. But is it wrong programming if you don't allow that substring?
Disallowing it could cause someone's chosen password to fail, so they have to change it for you to accept the password they want, but if you know for sure that you use sql as part of processing passwords you might well decide that it is acceptable to make people have to try a new password before you'll accept theirs, in case you are not confident that you are escaping everything correctly.
So from my end it seems okay to do something like disallow NULL.
If you consider the choice of the programmer on DMV's web site, what do you think about their choice to reject this input, even though in fact it turned out to be legitimate? Is it acceptable programming practice?
I don't believe this is acceptable. By any modern sane best practice, the word NULL in a string from a web form (where your input is basically by definition a string) is a string like any other
Blocking -- in a string does not prevent SQL injection attacks. Using proper parameterised queries does. This might sound mildly hostile but "you are not confident that you are escaping everything correctly" - when this is a well defined and solved problem - means you should not be building this application as you're too incompetent to. For the millions of taxpayer money wasted on this kind of thing, it is absurd.
Blacklisting keywords used in XSS is also completely futile, pointless, useless, and does nothing but piss off users that can no longer use anything containing the word log or window or whatever.
>Things started to go awry when he first registered the tags. He tried typing in his license plate but the DMV website wouldn't accept it.
Let's talk about the fact that the DMV website wouldn't accept it. Do you think this is all right behavior on the part of the DMV website?
It's really interesting because if you're coding up the DMV web site, it makes sense to disallow NULL just as a preventative measure, like not allowing '-- in a query (to prevent SQL injection attacks.)
I would generally think that on the whole you should accept -- as a substring in a password. But is it wrong programming if you don't allow that substring?
Disallowing it could cause someone's chosen password to fail, so they have to change it for you to accept the password they want, but if you know for sure that you use sql as part of processing passwords you might well decide that it is acceptable to make people have to try a new password before you'll accept theirs, in case you are not confident that you are escaping everything correctly.
So from my end it seems okay to do something like disallow NULL.
If you consider the choice of the programmer on DMV's web site, what do you think about their choice to reject this input, even though in fact it turned out to be legitimate? Is it acceptable programming practice?