mailing list archives
Re: SQL Injection
From: "Steven M. Christey" <coley () mitre org>
Date: Tue, 8 Jun 2004 17:52:15 -0400 (EDT)
BTW, any opinions on if I just encode all input without checking for any
characters? Say converting all <script> to <script> Can anyone
still do XSS or SQL Injection in that case?
Not that I can think of, but there might be implications if there's a
However... If the routine is being coded in C or another language
that's prone to buffer overflows, then you need to make sure to
account for all the potential quoting when allocating the memory to
hold the resulting string. "Transformation-based" buffer overflows
(my hastily coined term) are starting to become more common. If the
transformation converts a double-quote character to a ""e;", then
an attacker could expand the original string by a factor of 6, which
could have implications for the application itself *or* the back end.