WebApp Sec mailing list archives
Re: Re: Canonicalization
From: Mariusz Pękala <skoot () qi pl>
Date: Thu, 13 Apr 2006 21:24:12 +0200
On 2006-04-13 07:17:57 -0000 (Thu, Apr), susam_pal () yahoo co in wrote:
I am writing some examples. Please tell me if these are the examples of Canonicalization. 1. When an web application gets parameters from a GET request or POST request, and if that parameter is going to be used as a part of an SQL query, then the programmer must take care to convert the single-quote (') to two single-quotes('') for Oracle Database in order to prevent SQL injection. Is this canonicalization? 2. Take a guestbook of a site. The feedback given is going to appear back in the web-page. Here we need to take care that things like "<font>" should be converted to ">font<" before it appears on the page. Is this a case of canonicalization?
I suppose, no. These are examples of ... err.. escaping or quoting. Canonicalization would be, for example, ensuring that ' is changed to single quote, or removing backslashes from places where they are not needed - <f\ont> => <font> See http://en.wikipedia.org/wiki/Canonicalization -- No virus found in this outgoing message. Checked by "grep -i virus $MESSAGE" Trust me.
Attachment:
_bin
Description:
Current thread:
- Re: Canonicalization, (continued)
- Re: Canonicalization Peter Conrad (Apr 21)
- Re: Canonicalization exon (Apr 21)
- Re: Canonicalization Jason Murray (Apr 23)
- Re: Canonicalization exon (Apr 24)
- Re: Canonicalization Eoin (Apr 21)
- Re: Canonicalization Andrew van der Stock (Apr 22)
- Re: Canonicalization Rogan Dawes (Apr 14)
- Re: Canonicalization Jason (Apr 14)
- Re: Re: Canonicalization Mariusz Pękala (Apr 14)
- Re: Re: Canonicalization Peter Conrad (Apr 18)