WebApp Sec mailing list archives
Re: SQL Injection Basics
From: "dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>
Date: Tue, 11 Feb 2003 14:11:23 -0700
On Tue, Feb 11, 2003 at 08:48:45PM +0100, Sverre H. Huseby wrote:
[dreamwvr () dreamwvr com] Because that's not the general solution. If you program, say, a bank application, you cannot simply say that nobody named O'Connor will be allowed to register. If you program a discussion site for programmers, you cannot remove selected characters from the notes, because the program snippets people would like to include may legitimately contain some of those special characters.
Yes then you simply extend the ; example to permit certain patterns in certain fields of a certain max len. Since one never directly updates databases but rather interfaces via a SQLproxy of some sorts right? Then this can do the filtering or translation if you will. Enjoying this thread:-) Somewhat like NAT does for ip traffic with RFC1918 addressing.
The OWASP (www.owasp.org) Filters project introduces the term "boundary filtering" [1]: You do input validation when data passes the
Yeah I recall when the owasp.org was being first promoted. This is a application :-> of the same concept of 'boundary filtering' that occurs in network layer and transport/session layer filtering just brought up to the application layer IMHO. This is what dedicated proxies do anyhow or actually custom proxies. So this really should not be considered the universal solvent or anything. Besides boundary filtering is nothing new. It has been around for a long time. Best Regards, dreamwvr () dreamwvr com -- /* Security is a work in progress - dreamwvr */ # # Note: To begin Journey type man afterboot,man help,man hier[.] # // "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \? ;-]
Current thread:
- RE: SQL Injection Basics, (continued)
- RE: SQL Injection Basics Robert Nilsen (Feb 10)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Keith Smith (Feb 10)
- Re: SQL Injection Basics Kevin Spett (Feb 10)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Dirk Gomez (Feb 11)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics Ken Anderson (Feb 11)