<FONT face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" size=2>-----kwlug-disc-bounces@kwlug.org wrote: -----<br><div>>To: KWLUG discussion <kwlug-disc@kwlug.org><br>>To be fair, 20 years ago, the environment that programs would be<br>><br>>deployed in was far less hostile than what it is today for web<br>>servers.<br>>Apart from the Morris worm, there was no port scans, remote expolits,<br>>code injection, SQL injection, Cross Site Scripting, Cross Site<br>>Request Forgery, ...etc. ad nauseum.<br>><br>>The worst that could happen was that an insider would do a Robin<br>><br>>Hood and Friar Tuck<br>><br>>http://www.csd.uwo.ca/~magi/personal/humour/Computer_Folklore/Robin%2<br>>0Hood%20And%20Friar%20Tuck.html<br><br>I should clarify. I learned user-space application programming, not operating system programming. The bugs above were either kernel level or service level. We learned to edit user input to obtain clean data. <br><br>I suppose the advent of SQL, where we are tempted to build command strings using input data is one major turning point for security bugs. In other databases we didn't have that option since the interface was programmatic not command oriented. I wonder how many programmers don't know to use replaceable parameters in SQL calls.<br><br>Should we blame SQL or SQL library designers for allowing us to make commands strings?<br><br>We could also blame Unix and GNU for providing such useful tools that programmers would rather run shell commands to complete tasks than do it programatically?<br><br>No one has mentioned Perl, one of the early favourites for web programming. Perl, at least now, recognizes tainted data and refuses to use it unless it is massaged.<br></div></FONT>