Posted by Michael Fesser on 10/21/07 20:55

..oO(Jerry Stuckle)

>Gary L. Burnore wrote:
>>
>> Security is about many things of which prevention is one.
>
>No responsible person in the security field will ever claim that.
>
>There is no such thing as "prevention". That would indicate that
>something can't happen, which is impossible to do.

If a file is stored outside the document root, it can't be accessed by a
URL. That's prevention.

If you allow the user to submit a value out of [1, 2, 3] to a form
processing script and check it against the set of allowed values, they
can't inject a 4. That's prevention.

>For instance, banks have been trying to prevent robberies for hundreds
>of years. Nowadays they have CCTV, armed guards, vaults, silent
>alarms... the list goes on. But they still get robbed. Because there
>is no "prevention".

There are things that _can_ be prevented and there are things were you
can just lower the probability of it to happen.

Micha

• Next in forum: Re: free tool to encrypt php?
• Prev in forum: Re: free tool to encrypt php?
• Thread view: Re: free tool to encrypt php?

[Reply to this message]