WebApp Sec mailing list archives

Re: Re: Canonicalization

From: Mariusz Pękala <skoot () qi pl>
Date: Thu, 13 Apr 2006 21:24:12 +0200

On 2006-04-13 07:17:57 -0000 (Thu, Apr), susam_pal () yahoo co in wrote:

I am writing some examples. Please tell me if these are the examples
of Canonicalization.

1. When an web application gets parameters from a GET request or POST
request, and if that parameter is going to be used as a part of an SQL
query, then the programmer must take care to convert the single-quote
(') to two single-quotes('') for Oracle Database in order to prevent
SQL injection. Is this canonicalization?

2. Take a guestbook of a site. The feedback given is going to appear
back in the web-page. Here we need to take care that things like
"<font>" should be converted to "&gt;font&lt;" before it appears on
the page. Is this a case of canonicalization?


I suppose, no. These are examples of ... err.. escaping or quoting.

Canonicalization would be, for example, ensuring that &#039; is changed
to single quote, or removing backslashes from places where they are not
needed - <f\ont> => <font>

See http://en.wikipedia.org/wiki/Canonicalization

-- 
No virus found in this outgoing message.
Checked by "grep -i virus $MESSAGE"
Trust me.

Attachment: _bin
Description:

Current thread:

Re: Canonicalization, (continued)
- - - Re: Canonicalization Peter Conrad (Apr 21)
    - Re: Canonicalization exon (Apr 21)
    - Re: Canonicalization Jason Murray (Apr 23)
    - Re: Canonicalization exon (Apr 24)
    - Re: Canonicalization Eoin (Apr 21)
    - Re: Canonicalization Andrew van der Stock (Apr 22)
- Re: RE: Canonicalization jovan . burd (Apr 13)
- Re: Re: Canonicalization susam_pal (Apr 13)
  - Re: Canonicalization Rogan Dawes (Apr 14)
  - Re: Canonicalization Jason (Apr 14)
  - Re: Re: Canonicalization Mariusz Pękala (Apr 14)
    - Re: Re: Canonicalization Peter Conrad (Apr 18)