Re: SQL Injection Basics

["dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>]

On Tue, Feb 11, 2003 at 08:48:45PM +0100, Sverre H. Huseby wrote:
> [dreamwvr () dreamwvr com]
> Because that's not the general solution.  If you program, say, a bank
> application, you cannot simply say that nobody named O'Connor will be
> allowed to register.  If you program a discussion site for
> programmers, you cannot remove selected characters from the notes,
> because the program snippets people would like to include may
> legitimately contain some of those special characters.
Yes then you simply extend the ; example to permit certain 
patterns in certain fields of a certain max len. Since one 
never directly updates databases but rather interfaces via 
a SQLproxy of some sorts right? Then this can do the filtering 
or translation if you will. Enjoying this thread:-)
Somewhat like NAT does for ip traffic with RFC1918 addressing.
> The OWASP (www.owasp.org) Filters project introduces the term
> "boundary filtering" [1]: You do input validation when data passes the
Yeah I recall when the owasp.org was being first promoted. This is 
a application :-> of the same concept of 'boundary filtering'
that occurs in network layer and transport/session layer filtering 
just brought up to the application layer IMHO. This is what
dedicated proxies do anyhow or actually custom proxies. 
So this really should not be considered the universal solvent
or anything. Besides boundary filtering is nothing new. It 
has been around for a long time. 

Best Regards,
dreamwvr () dreamwvr com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                                                             
# Note: To begin Journey type man afterboot,man help,man hier[.]      
#                                                             
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]