WebApp Sec mailing list archives
Re: SQL Injection
From: Rogan Dawes <discard () dawes za net>
Date: Mon, 14 Jun 2004 08:36:38 +0200
Stephen de Vries wrote:
On 9 Jun 2004, at 18:39, Steven M. Christey wrote: < snip >So, I guess my point is that whitelists can't be used in isolation. Quoting and encoding must still play a role when passing inputs between data boundaries. Sorry if this is old hat to everyone else.That's a good point - Input validation should really be performed in every processing context, because it is only in that context that you know what is valid and what is invalid data.
Exactly. I think that Alex Russell first started talking about "boundary validation" [1] (although I think that Sverre Huseby was talking about the concept previously), which refers to making sure that content inappropriate for the "service" on the other side of the boundary is appropriately filtered. This could be done on either side of the boundary, of course, but is not restricted to "input filtering".
For example, boundary filtering should be done from application to database, and from application to client. Doing it properly in these two places would eliminate SQL injection and XSS.
It should also be done between application and LDAP directory, between application and XML messaging service, between application and text log file, etc.
Simply saying "input validation" fails to recognise that you can have very different rules and requirements for each of the above.
You also end up with data in different formats, or in different representations, which could lead to corruption if you are doing quoting in different places.
Rogan [1]. http://seclists.org/lists/webappsec/2003/Jan-Mar/0136.html -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Re: encryption over the web, (continued)
- Re: encryption over the web Ivan Krstic (Jun 14)
- Re: encryption over the web Paul Johnston (Jun 14)
- Re: encryption over the web Pawel Jablonski (Jun 14)
- Re: encryption over the web Frank Knobbe (Jun 16)
- RE: encryption over the web Fan Zhang (Jun 16)
- Re: encryption over the web Lucas Holt (Jun 16)
- Re: encryption over the web Michael Ströder (Jun 17)
- Re: encryption over the web exon (Jun 17)
- Re: SQL Injection Stephen de Vries (Jun 11)
- Re: SQL Injection Rogan Dawes (Jun 14)
- Re: SQL Injection David Cameron (Jun 16)
- Re: SQL Injection Sverre H. Huseby (Jun 16)
- Re: SQL Injection Alex Russell (Jun 17)