WebApp Sec mailing list archives
Re: SQL Injection Basics
From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 11 Feb 2003 20:48:45 +0100
[dreamwvr () dreamwvr com] | Well IMO why not simply filter out all non alpha and integers. | logging everything else and not allowing to form a SQL statement | at all? Then allow very select special characters like ; only in | a specific position. Just my 2 cents. Because that's not the general solution. If you program, say, a bank application, you cannot simply say that nobody named O'Connor will be allowed to register. If you program a discussion site for programmers, you cannot remove selected characters from the notes, because the program snippets people would like to include may legitimately contain some of those special characters. The problem is that input validation is _not_ about filtering for all possible subsystems (such as databases) to which you intend to pass data. For some types of input you may put strict limitations to what characters are accepted. For others you may not. No serious customer in the world will accept that "we cannot allow quotes and backslashes in the input because the database will choke." No matter what restrictions you put on valid input, you may have to escape some characters before passing data along to a subsystem. And that's what it's all about. The OWASP (www.owasp.org) Filters project introduces the term "boundary filtering" [1]: You do input validation when data passes the boundary/border between the client and your application. And you do subsystem filtering when the data passes from your application to one of many possible subsystems, including the end users' browsers (to prevent Cross-site Scripting). The "boundary filtering" approach is the most ingenious method proposed so far, IMNSHO. And to be even less humble, it's the same kind of filtering I (and most likely more people) have preached for the last couple of years, although I failed to come up with that cool term. Drats. :) Sverre. 1: Until someone tells me otherwise, I give Alex Russell the credit for that cool term, because I first saw it in one of his documents. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- Re: SQL Injection Basics, (continued)
- Re: SQL Injection Basics Taco Fleur (Feb 10)
- RE: SQL Injection Basics Robert Nilsen (Feb 10)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Keith Smith (Feb 10)
- Re: SQL Injection Basics Kevin Spett (Feb 10)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Dirk Gomez (Feb 11)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)