Before moving forward, I want to share with you a news item, and put it in perspective of our boot camp. A couple days ago, on February 5, 2009, Geeks.com agreed to a settlement with the FTC as a result of the site being hacked about a year ago.
What happened?
According to news sources, Geeks.com was hacked using a technique known as SQL injection; and once in, the hackers found the data was not encrypted.
SQL injection is incredibly easy to prevent. What happens when you're not guarding against it is a hacker will enter text into a web form; this text is intended to be used as part of an SQL statement. But the text being entered contains characters that terminate an SQL statement, followed by more SQL that accesses and modifies the data. (Note: This is a boot camp. Did that make sense? If not, read it again until it does. You're a programmer, and things like that should make sense to you.)
So how do you prevent SQL injection? Think about it. You don't want the characters that terminate an SQL statement to be allowed in; you don't want SQL in general to be allowed in. One way is to guard against such characters by deleting them or escaping them. Another is to not piece together the SQL but rather use stored procedures.
Now why does this relate to our boot camp? Because
such errors should never have happened. It's hard to say what went on at Geeks.com. But I would like to speculate. This is my own speculation, and I can't know what really happened. But I would suspect it comes down to two problems: The programmers didn't know better, and the managers didn't know that the programmers were lacking in knowledge.
As programmers, we simply cannot allow this to happen. It's too easy to just put together code that works. But a good programmer must constantly be on alert for potential problems. Are you reading text from a web form and then piecing together a string into an SQL statement? Then what could go wrong? "What could go wrong?" needs to be constantly on our minds.
And even more, the programmers must be aware of the security risks and how to prevent them. "SQL Injection" is a common threat and you should know about it, and many others.
How do you find out about such things? The key there is to go to the online docs, the manuals, and read (or at
least skim!) everything that you can. And most importantly, read the overviews and the "best practices" documents. Those documents will give you a summary of the most important aspects of what you're doing. And where do you find these documents? That's why it's vital to familiarize yourself with the documentation. Are you programming in PHP? Then know your way around the PHP.net site. Are you programming in ASP.NET? Then know the Microsoft documentation, both the one that's installed on your computer as well as the MSDN site.
That is key. As programmers, we must be masters of our trade, we must be experts, and we can not allow sloppiness to happen. Imagine writing code, thinking it's perfect, only to find out that due to one of
your mistakes, the company is now being sued. Again, I can't know if that was what happened at Geeks.com, but I can say that if it does happen anywhere, it would be a horrible thing to go through. And there's no reason for it. Be an expert.
. Click All Programs. Scroll to the top of the list and find Adobe Reader. Click it.
Posts
