WebApp Sec mailing list archives
Re: SQL Injection Basics
From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 11 Feb 2003 23:09:12 +0100
[Alex Russell] | Thanks for the kind words Sverre = ) You're welcome! :) | > 1: Until someone tells me otherwise, I give Alex Russell the credit | > for that cool term, because I first saw it in one of his documents. | | I'm pretty sure the concepts of defense in depth will be traceable | as far back as someone has had something someone else wanted, and | someone was able to write it down. = ) I'm not crediting you for "defense in depth", but for the term "boundary filtering" as used in the context of a web application. The term makes it perfectly clear how filtering should be done, not only to have defense in depth, but to have things that actually work, even if there is no attack going on. What do I mean by "things that actually works"? Say that one user registers as "O'Connor" (my favorite, troublesome name). The "input validation" people (for example those thinking that PHP's magic_quotes saves them) will escape the quote when the guy enters his name. Then they will store the name in the database. That's all for the troublesome quote character: It was dealt with at input time, and will never be dealt with again. Now say that part of the application logic reads names from the database and stores them in another table using dynamic SQL queries. The "input validation" people will run into trouble as the quote shows up in an SQL string constant again. The "boundary filtering" people, on the other hand, do not escape the quote character as it comes in, but rather as they pass it to the database. _Every_time_ they pass a string to the database, that is. They will never run into the "second order" problem described above. Most web developers should stop thinking about "input validation", and start thinking about "boundary filtering". Not because input validation is unimportant, but because boundary filtering is broader. It even covers input validation. That's why I think the term is ingenious: It is a well formulated term for the correct approach, compared to the old term that just focuses on one (small) part of the application boundary. Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- Re: SQL Injection Basics, (continued)
- Re: SQL Injection Basics Kevin Spett (Feb 10)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Dirk Gomez (Feb 11)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics Ken Anderson (Feb 11)
- Re: WebSleuth and the SQLInjeciton Plugin Chip Andrews (Mar 10)