mailing list archives
Re: SQL Injection
From: "Steven M. Christey" <coley () mitre org>
Date: Thu, 3 Jun 2004 20:35:00 -0400 (EDT)
The best way would be creating a white list, allowing only defined
characters and rejecting everything else. Saves you headaches in the
long run. Use Regexs for this.
While white lists are far better than black lists, the correct "white
list" will vary depending on which type of vulnerability you are
protecting against. For example, restricting inputs to alphanumeric,
spaces, and hyphens will still open you up to certain argument
injection vulnerabilities. So, you may need to apply different white
lists to the data, depending on where (and how) the data is being
used, and which types of vulnerabilities may be present at that point.
You may want to use a "SQL injection" white list on data input, with
an "XSS white list" on data output (though "XSS white list" is almost
an oxymoron these days, with all the custom browser behaviors).
It would be interesting to know if anybody's tried to implement
"context-sensitive taint checks" that know which filters have been
applied to data elements, and when.