Yes, names. And the computer systems that handle them. If you write computer programs that handle people's names, read this blog post. Then read this article. Then go back and check your programs for how many of the assumptions in the article they make. Yes, all of those assumptions are invalid. Yes, you will have someone breaking them. Many someones. You'll have more people than you expect using your system. Think about this: right now if something occurs for one person in a million, you can expect more than 300 of them in the United States alone (307 as of July 2009).
And yes, someone out there undoubtedly has in fact legally changed their name to "Robert'); DROP TABLE users" just to be a prat. Your systems should be able to handle him in a suitably boring manner automatically, without needing special coding for SQL injection.
No comments:
Post a Comment