Determine the precise parameters of input based upon string length, string content, and network characteristics (domain, hostname, port, as applicable).
Any program that interacts with an application outside itself can be exploited if the user-provided data is malformed. This can lead to two different kinds of injections. First, SQL-injections arise when malformed data is given to an application for insertion into a database; the malicious data contains SQL commands and thus runs with application-level privileges to corrupt, steal, or delete information. Second, any user-provided data that is not checked can be used to pass malicious parameters or commands to the operating sytem, the Python interpreter, or both.
In this regard, any Python system call is suspect because it interacts with the operating system. Python methods of which one should be particularly careful are:
- exec()
- eval()
- os.system()
- os.popen()
- execfile()
- input()
- compile()