Re: SQL Injection

[Rogan Dawes <discard () dawes za net>]

Stephen de Vries wrote:
> On 9 Jun 2004, at 18:39, Steven M. Christey wrote:
> < snip >
>
> > So, I guess my point is that whitelists can't be used in isolation.
> > Quoting and encoding must still play a role when passing inputs
> > between data boundaries.  Sorry if this is old hat to everyone else.
>
>
> That's a good point - Input validation should really be performed in 
> every processing context, because it is only in that context that you 
> know what is valid and what is invalid data.

Exactly. I think that Alex Russell first started talking about "boundary 
validation" [1] (although I think that Sverre Huseby was talking about 
the concept previously), which refers to making sure that content 
inappropriate for the "service" on the other side of the boundary is 
appropriately filtered. This could be done on either side of the 
boundary, of course, but is not restricted to "input filtering".

For example, boundary filtering should be done from application to 
database, and from application to client. Doing it properly in these two 
places would eliminate SQL injection and XSS.

It should also be done between application and LDAP directory, between 
application and XML messaging service, between application and text log 
file, etc.

Simply saying "input validation" fails to recognise that you can have 
very different rules and requirements for each of the above.

You also end up with data in different formats, or in different 
representations, which could lead to corruption if you are doing quoting 
in different places.

Rogan

[1]. http://seclists.org/lists/webappsec/2003/Jan-Mar/0136.html
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"