|
|
|
|
|
|
by bnegreve
4166 days ago
|
|
|
Dynamicity usually refers to the fact that you can execute code that wasn't fully specified at runtime. Lisp code is the stereotypical example of a dynamic programming language because it can update its own code while being executed. On the other hand, compiled C code is static because the code is loaded into memory and cannot be changed during the execution (as a matter of fact, the memory pages holding the code don't have even have write permissions).
Btw, you can make it more dynamic by enabling dynamic libraries or modules which make the whole thing less secure. In a static program, you can only execute code that was originally provided (at least in theory), that makes it harder to accidentally execute a piece of code provided by the user as input. Back to our problem: A dynamic website will typically take user input (e.g. the user name) and build a personalized view of the webpage for the user. To achieve this, the page will probably contain a SQL query with a 'name' field. If the inputs are not properly sanitized, the field can contain anything including SQL code. If the user is malicious, you have a SQL injection (i.e. the user can execute an arbitrary query). What happened is that you've executed code provided by the user. |
|
|
As in eval()'ing code based on user input? That's pretty crazy, and I don't think (hope) a lot of real world security problems are caused by that!
> Back to our problem: A dynamic website will typically take user input (e.g. the user name) and build a personalized view of the webpage for the user
But this has little to do with the language, right? Now we're are talking about handling user input, which can be dangerous. The OP seems to get this confused as well, which is one of the reasons I claim he's not exactly an expert.
A TLDR of the original article: "Handling user input can be dangerous, it's safer if you don't." But we already knew that...
As far as eval()ing user input, well, just grep your code for eval(), no need to change language.