More on common weakness

Dan Quist writes in to point at that writing software is hard and we should expect errors. No doubt. Perfect software is not on the near horizon and good programmers using good tools will make stupid mistakes.

But the CWE compendium points to systemic problems in the field. Look at the problem of allowing unfiltered user input to go to a database engine that then executes unsafe commands.

  1. Not checking entered data is unacceptable programming practice.
  2. The programming language libraries that offer SQL commands have no reason to pass complex commands. Instead of “do database whatever this string says”, there should be a highly efficient “do a select on this field in this database table”.
  3. The databases should at least support some permission system so that databases are opened with read permissions only if no writes are expected or read+InsertRecord or read+ReplaceRecord.

These types of errors are to be expected in software created by unqualified programmers using badly designed software.