WebApp Sec mailing list archives
Re: tips to secure a web application
From: ".Saphyr" <saphyr () infomaniak ch>
Date: Fri, 20 Feb 2004 12:39:06 +0100
Are there any libraries for constructing queries from untrusted inputs such as parameters to web apps, that send text-based SQL to the database, and that automatically filter the input (eg using regexps) to prevent SQL injection attacks? In particular, do these prepared statement libraries filter out inputs that include quotes and other nasties, by default? Andy
Actually, you have 2 choices. Either you use a regexp rule which only allows what is allowed, either you set a regexp which checks for well known flaws and prevents them. As you can guess, the best one is the first. If you want for example a username, containing only letters and/or numbers, with a variable length of 8 to 14 characters you would set that regular expression pattern: "^[a-zA-Z]{8,14}$" Using the second technique, I mean checking for unvalid characters or patterns such as " ' " or " @@ " or " -- " and so on requires you to have an expert knowledge in SQL language and all Db server options and possible calls. It is dangerous and you never know in advance what else could be done... Just read this document and you're all set: http://java.sun.com/docs/books/tutorial/extra/TOC.html#regex .Antoine
Current thread:
- tips to secure a web application ermelir (Feb 18)
- <Possible follow-ups>
- RE: tips to secure a web application Leung, Annie LDB:EX (Feb 19)
- Re: tips to secure a web application ermelir (Feb 19)
- Re: tips to secure a web application .Saphyr (Feb 19)
- RE: tips to secure a web application Lars Troen (Feb 19)
- Re: tips to secure a web application Martin Tsachev (Feb 20)
- RE: tips to secure a web application Andy Gordon (Feb 20)
- Re: tips to secure a web application .Saphyr (Feb 20)
- Re: tips to secure a web application .Saphyr (Feb 22)