WebApp Sec mailing list archives
Re: SQL Injection
From: "Sverre H. Huseby" <shh () thathost com>
Date: Wed, 16 Jun 2004 19:55:46 +0200
[David Cameron] | Suppose you have a comments which is represented at the web app as | a textbox and in the database as a VarChar(2000) column. Consider | the case where someone enters 2001 characters into the field. As | far as the web application is concerned, text is text and how much | text should be allowed is a concern for the database. My current view: The length of the field in the database is not an SQL metacharacter problem, and thus should not (necessarily) be handled in the interface between the app and the database. By specifying a length restriction when defining the table, one in fact says that "in this application the comment is limited to 2000 chars". It may be seen as an application constraint, not a database constraint. If you accept that view, then the length check belongs with the input validation part of the code (the boundary between the client ant the app). Input validation is supposed to make sure incoming data matches the expectations (or rules) of the application. If the input validation part fails to check the length restriction (and you agree that it should have done it), then an appropriate action upon an error return from the database would be to throw an exception (or equivalent). Parts of the code have failed to do its job, and it makes no sense to continue. Sverre. -- shh () thathost com My web security book: Innocent Code http://shh.thathost.com/ http://innocentcode.thathost.com/
Current thread:
- Re: encryption over the web, (continued)
- Re: encryption over the web Pawel Jablonski (Jun 14)
- Re: encryption over the web Frank Knobbe (Jun 16)
- RE: encryption over the web Fan Zhang (Jun 16)
- Re: encryption over the web Lucas Holt (Jun 16)
- Re: encryption over the web Michael Ströder (Jun 17)
- Re: encryption over the web exon (Jun 17)
- Re: SQL Injection Stephen de Vries (Jun 11)
- Re: SQL Injection Rogan Dawes (Jun 14)
- Re: SQL Injection David Cameron (Jun 16)
- Re: SQL Injection Sverre H. Huseby (Jun 16)
- Re: SQL Injection Alex Russell (Jun 17)
- RE: SQL Injection Clement Dupuis (Jun 14)