WebApp Sec mailing list archives
Re: SQL Injection
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 16 Jun 2004 11:17:29 -0500
On Wed, 2004-06-16 at 03:56, Stephen de Vries wrote:
But I think we agree that the data must be validated at some point, so instead of validating it in a function just before output, it would be more elegant to define another function that accepts the data and validates it as input.
I understand what you are saying. But calling it input and output depend on the point of view of the observer. I was (in my mind) segmenting it into trust boundaries. Your trust your code, you don't trust the user. User inputs data to your code, and your code output data to the user. Perhaps we should just call it data validation, without explicitly labeling it input and output. That way data validation can be applied between trust boundaries, or application modules/functions. (That way Jeff can keep it a Top 10 list ;) What are your thoughts? Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: SQL Injection, (continued)
- Re: SQL Injection Jeff Williams (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 28)
- RE: SQL Injection Mutallip Ablimit (Jun 29)
- Re: SQL Injection gcb33 (Jun 29)
- Re: SQL Injection Alex Russell (Jun 16)
- RE: SQL Injection Clement Dupuis (Jun 14)
- Re: SQL Injection athena (Jun 17)
- Re: SQL Injection Frank Knobbe (Jun 21)