Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Database Encryption -- Sql Injection

Database Encryption -- Sql Injection

From: Dave Bergert <dbergert_at_nobel-net.com>
Date: Mon, 21 Apr 2003 20:31:48 -0500

Does any one have any comments on where best to incorporate Column level
encryption in a Database field? At the Database Server level (via a
User Defined Function) or at the Application Level. Which would be less
impervious to SQL Injection?

I am on a MS-SQL 2000 and IIS Platform.

If I had a User Defined Function for example:
 Select decrypt(AccountNumber, "key") from tblTable where User =
'someuser'

If SQL Injection occurs:
 Select decrypt(AccountNumber, "key") from tblTable where User =
'someuser' or 1=1

In this case if SQL injection occurs the encrypted field will be
automatically decrypted by the UDF... Showing all accountNumbers...

If I had the Decryption handled at the Application:
 Select encryptedAccountNumber from tblTable where User = 'someuser'

And had the application call:
 AccountNumber = DecryptFunction (ResultSet ("encryptedAccountNumber" ),
"key")

If SQL Injection occurs, the only way data could be seen if through
whatever mechanism the application displays the AccountNumber

(Are these scenarios identical ?)

I know that encryption is not a substitution for good input sanity
validation.
Which method would be better to implement?
Thanks for comments.

Regards,
Dave Bergert
Received on Apr 22 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos