WebApp Sec mailing list archives
Re: SQL Injection
From: "Steven M. Christey" <coley () mitre org>
Date: Thu, 3 Jun 2004 20:35:00 -0400 (EDT)
The best way would be creating a white list, allowing only defined characters and rejecting everything else. Saves you headaches in the long run. Use Regexs for this.
While white lists are far better than black lists, the correct "white list" will vary depending on which type of vulnerability you are protecting against. For example, restricting inputs to alphanumeric, spaces, and hyphens will still open you up to certain argument injection vulnerabilities. So, you may need to apply different white lists to the data, depending on where (and how) the data is being used, and which types of vulnerabilities may be present at that point. You may want to use a "SQL injection" white list on data input, with an "XSS white list" on data output (though "XSS white list" is almost an oxymoron these days, with all the custom browser behaviors). It would be interesting to know if anybody's tried to implement "context-sensitive taint checks" that know which filters have been applied to data elements, and when. - Steve
Current thread:
- SQL Injection Emanuele Zattin (May 31)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
- Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- <Possible follow-ups>
- RE: SQL Injection Scovetta, Michael V (Jun 01)
- Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
- Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
- RE: SQL Injection The Crocodile (Jun 06)
- Re: SQL Injection Jeff Williams (Jun 08)
- Re: SQL Injection saphyr (Jun 09)
- RE: SQL Injection The Crocodile (Jun 06)
- Request for comments - French readers saphyr (Jun 08)
- Re: SQL Injection Steven M. Christey (Jun 08)
- RE: SQL Injection Michael Howard (Jun 09)
- RE: SQL Injection or XML gcb33 (Jun 09)
- RE: SQL Injection Michael Howard (Jun 09)