Re: tips to secure a web application

[".Saphyr" <saphyr () infomaniak ch>]

> Are there any libraries for constructing queries from untrusted inputs
> such as parameters to web apps, that send text-based SQL to the
> database, and that automatically filter the input (eg using regexps) to
> prevent SQL injection attacks?  In particular, do these prepared
> statement libraries filter out inputs that include quotes and other
> nasties, by default?
> Andy

Actually, you have 2 choices. Either you use a regexp rule which only
allows what is allowed, either you set a regexp which checks for well
known flaws and prevents them. 

As you can guess, the best one is the first. If you want for example a 
username, containing only letters and/or numbers, with a variable length 
of 8 to 14 characters you would set that regular expression pattern:  

"^[a-zA-Z]{8,14}$"

Using the second technique, I mean checking for unvalid characters or
patterns such as " ' " or " @@ " or " -- " and so on requires you to have
an expert knowledge in SQL language and all Db server options and
possible calls. It is dangerous and you never know in advance what else
could be done...

Just read this document and you're all set: 
http://java.sun.com/docs/books/tutorial/extra/TOC.html#regex


.Antoine