WebApp Sec mailing list archives
Re: PHP for preventing SQL injections?
From: "Sverre H. Huseby" <shh () thathost com>
Date: Wed, 17 Sep 2003 21:22:04 +0200
[Lefevre, Steven] | Is it possible to make a code that can distinguish between an | injection attempt and stupid-user data? The first thing you could do, is to categorize all input in two distinct classes: User-generated and server-generated. User-generated input is what the user is supposed to enter into textual fields: Input tags of types text or password, and textareas. Server-generated input is all the rest: Values from option lists, checkboxes, hidden fields, cookies, URL-parameters that came from anchor tags and so on. Every input that is supposed to just be returned by the browser in a well-defined format. User-generated input may contain all kinds of stupid typing mistakes. It may be hard to detect intrusion attempts, at least to be 100% sure a user is trying to do something nasty. You will, of course, have to check that user-generated input matches your rules for every input field, but in general you can't accuse the user of anything. Just inform him that he should modify the input according to your rules. Server-generated input, on the other hand, should always be well-defined. If it doesn't match what you expect, the user has tampered with data that are normally outside his reach (hidden in the HTML or in some HTTP header). I like to log such tampering as a possible break-in attempt, and have a log monitor inform me of it. I also like to say "shame on you, I've logged this" to the user. :-) I think most web applications have much more server-generated than user-generated input, so by detecting tampering on server-generated input, you will detect much of the possible tampering. (It may be a good idea to log malformed user-generated input too, but you will probably have many false positives.) Sverre. -- shh () thathost com http://shh.thathost.com/
Current thread:
- PHP for preventing SQL injections? Lefevre, Steven (Sep 16)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? cipherz (Sep 17)
- Re: PHP for preventing SQL injections? Harry M (Sep 18)
- Re: PHP for preventing SQL injections? wilfrid (Sep 17)
- Re: PHP for preventing SQL injections? Security OnLine.tk (Sep 16)
- Re: PHP for preventing SQL injections? weigelt (Sep 16)
- Re: PHP for preventing SQL injections? David Bernick (Sep 18)
- <Possible follow-ups>
- RE: PHP for preventing SQL injections? latte (Sep 16)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- RE: PHP for preventing SQL injections? Lefevre, Steven (Sep 17)
- Re: PHP for preventing SQL injections? Sverre H. Huseby (Sep 18)
- Re: PHP for preventing SQL injections? Alex Lambert (Sep 16)
- Re: PHP for preventing SQL injections? Gavin Zuchlinski (Sep 17)