9 May 2012 23:31
Re: code as data vs. code injection vulnerability
Stuart Halloway <stuart.halloway <at> gmail.com>
2012-05-09 21:31:03 GMT
2012-05-09 21:31:03 GMT
This is the point! On one hand I need to evaluate data from a client
on the other hand I'd like to filter out things like "rm -rf /", "drop
table users" etc. To me it looks like a contradiction impossible to
circumvent. So I ask if there's anything like "best practices" or even
better something like a concept of access rights or prepared
statements in clojure?. AFAIK there isn't any. So this problem must be
solved on the host platforms (database, operating system etc). To me
this looks much like a wheel-reinventing...
Or you can just use something like XML or a custom language for data transfer, which also avoids trying your clients to Clojure. I've never understood why anyone would use prn/read for data transfer, other than extreme laziness.
(1) Using Clojure as a print/read format does not tie your clients to Clojure. Readers exist in many languages, and are easy to implement.
(2) XML, despite its baroqueness, is extensible. So is Clojure data. This is a big advantage, and many approaches lack it.
Cheers,
Stu
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure <at> googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+unsubscribe <at> googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
RSS Feed