Comment Re:Sanitize crazyness (Score 1) 215
Take the C argument. The issue is really again one of input validation, buffer over flows happen ultimately because of of problems with input validation.
Sometimes they do, sometimes they happen because a series of inputs while valid individually nevertheless result when combined in a value too big for an internal buffer.
There have been plenty of exploits and injects in software written in Java, perl, Python, Ruby, BASIC, etc. It almost always comes down to input validation, and that is because input validation is *HARD* for any non trivial range of allowed inputs.
So you have three options
1: write a validator and assume the validator produces "safe" output
2: don't validate the data and treat it as potentially hostile whereever it passes in your system
3: write a validator but neverthless treat the data as potentially hostile even after passing through the validator. That way you have to screw TWO things up to get a serious exploit.
Then start mixing other technologies and it gets even more fun. So your C program is on a system using UTF-8, how big a buffer do you need to handle data from the database server with a VARCHAR(128) field? What character encoding is it using? What else writes data to that field what character encoding do those things use?
So you have three options
1: try to work out what the maximum size is and use a fixed buffer of that size with no bounds checking
2: do the above but put in checking so that if you screw things up you get an error instead of memory corruption.
3: use a buffer allocated on demand of the size that is actually needed.