Where Science Went Wrong (hilarious web site)

Quadibloc wrote:
Mike Ash wrote:
Why? With any half-competent data layer, a good index will work and a
bad index will return an error. If your data layer can be exploited by
giving it a bad ID number, then your problem lies in the data layer.

Expected behavior is that *any* invalid URL gives a nice neat 404 error.

Nothing is _ever_ passed on to any code which can cause an unhandled
exception, because the results of an error are, by their very nature,
unpredictable. They can potentially be exploited for attack purposes,
or they can have denial-of-service results just by accident - bringing
the system down, or causing an infinite loop.

In this case, the design error is to allow the untrusted outside world
to make a database request directly. Instead, there should be a layer
of bombproof code that parses URLs, sorts out valid ones from invalid
ones, and then, once it gets a valid one, passes on the request to the
database engine.

Obxkcd: http://xkcd.com/327/

Dave "also see: the BLINK tag in my .sig" DeLaney
--
\/David DeLaney posting from "It's not the pot that grows the flower
It's not the clock that slows the hour The definition's plain for anyone to see
Love is all it takes to make a family" - R&P. VISUALIZE HAPPYNET VRbeableBLINK
http://www.vic.com/~dbd/ - net.legends FAQ & Magic / I WUV you in all CAPS! --K.