mailing list archives
Re: SQL Injection
From: Rogan Dawes <discard () dawes za net>
Date: Mon, 14 Jun 2004 08:36:38 +0200
Stephen de Vries wrote:
On 9 Jun 2004, at 18:39, Steven M. Christey wrote:
< snip >
So, I guess my point is that whitelists can't be used in isolation.
Quoting and encoding must still play a role when passing inputs
between data boundaries. Sorry if this is old hat to everyone else.
That's a good point - Input validation should really be performed in
every processing context, because it is only in that context that you
know what is valid and what is invalid data.
Exactly. I think that Alex Russell first started talking about "boundary
validation"  (although I think that Sverre Huseby was talking about
the concept previously), which refers to making sure that content
inappropriate for the "service" on the other side of the boundary is
appropriately filtered. This could be done on either side of the
boundary, of course, but is not restricted to "input filtering".
For example, boundary filtering should be done from application to
database, and from application to client. Doing it properly in these two
places would eliminate SQL injection and XSS.
It should also be done between application and LDAP directory, between
application and XML messaging service, between application and text log
Simply saying "input validation" fails to recognise that you can have
very different rules and requirements for each of the above.
You also end up with data in different formats, or in different
representations, which could lead to corruption if you are doing quoting
in different places.
*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Re: SQL Injection Steven M. Christey (Jun 11)
Re: SQL Injection Frank Knobbe (Jun 16)
Re: SQL Injection Jeff Williams (Jun 17)
Re: SQL Injection Frank Knobbe (Jun 17)
Re: SQL Injection Frank Knobbe (Jun 29)
RE: SQL Injection Mutallip Ablimit (Jun 29)
Re: SQL Injection gcb33 (Jun 29)
Re: SQL Injection Alex Russell (Jun 17)
- Re: encryption over the web, (continued)