That, plus the way that there are such lovely functional structures, like 'zip' and 'map' and list comprehensions, that let you condense long complicated loops into simple mathematical expressions. It's a thing of beauty.
I've just finished doing some coding in Java and Python and the Python way is clearer. Maps in Java are still a bit broken (though improved in the 1.5 SDK). Maybe I will change my mind if I ever have to write anything > 1000 lines in python because I still don't fully grok python OO.
I'm recovering parse trees of SQL statements using PyBison (http://www.freenet.org.nz/python/pybison/api/index.html), and need to do a postorder traversal through them. (I can explain why if you really want to know.) PyBison has XML as one of its output formats, and xml.dom has all kinds of fantastic tree-traversal functions right there for me.
A colleague and I are working on a system to prevent SQL injection attacks, which involves parsing the SQL string being passed to a db and comparing it to a "known-good" string, as specified by the programmer for a given task; if the parses match, no injection. (That's a very brief overview. I can send you the paper if you want to read it.)
We have to allow developers to specify which part of the SQL string corresponds to user input, and find the narrowest enclosing scope for that substring (ie, the lowest node in the parse tree which generates the whole substring), in order to deal with tokenization.
ahh, very nice What advantages, if any, would this approach have over, say, escaping special characters in the user input? Is that method insufficient in some cases?
Good on you for actually doing input validation at all. In the past, I've pulled off deep evil by taking advantage of a lack of validation at places like the NIH's website.
yup, I even have my own system for dealing with cross-site scripting :) When tags are allowed, I pass everything through html tidy first, and then filter for the naughty stuff. I have tested it against all known XSS methods, but I may still have some work to do on it since I'm using a blacklist filter, rather than the recommended method of using a whitelist. Using tidy of course has the added benefit that my pages are still valid xhtml, even when users put in invalid html.
pulled off deep evil by taking advantage.. yes, I think I remember a post to that effect
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2005-02-17 12:02 pm (UTC)(no subject)
Date: 2005-02-17 10:02 pm (UTC)(no subject)
Date: 2005-02-17 10:23 pm (UTC)just one question....
Date: 2005-02-17 09:55 pm (UTC).
.
.
but wtf are you using it for?
Re: just one question....
Date: 2005-02-17 10:01 pm (UTC)Re: just one question....
Date: 2005-02-17 11:01 pm (UTC)I'll bite.. why are you recovering parse trees of SQL statements and needing to do postfix traversals?
Re: just one question....
Date: 2005-02-18 12:25 am (UTC)We have to allow developers to specify which part of the SQL string corresponds to user input, and find the narrowest enclosing scope for that substring (ie, the lowest node in the parse tree which generates the whole substring), in order to deal with tokenization.
Re: just one question....
Date: 2005-02-18 06:19 am (UTC)What advantages, if any, would this approach have over, say, escaping special characters in the user input? Is that method insufficient in some cases?
Re: just one question....
Date: 2005-02-18 06:07 pm (UTC)Got it in one! Yup, and we have a paper with some fun math proving it. :)
Re: just one question....
Date: 2005-02-18 11:21 pm (UTC)hehe :)
Re: just one question....
Date: 2005-02-18 11:46 pm (UTC)Re: just one question....
Date: 2005-02-19 07:18 am (UTC)When tags are allowed, I pass everything through html tidy first, and then filter for the naughty stuff. I have tested it against all known XSS methods, but I may still have some work to do on it since I'm using a blacklist filter, rather than the recommended method of using a whitelist. Using tidy of course has the added benefit that my pages are still valid xhtml, even when users put in invalid html.
pulled off deep evil by taking advantage..
yes, I think I remember a post to that effect