Home page logo

webappsec logo WebApp Sec mailing list archives

Re: SQL Injection
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 16 Jun 2004 11:17:29 -0500

On Wed, 2004-06-16 at 03:56, Stephen de Vries wrote:
But I think we agree that the data must be validated at some point, so
instead of validating it in a function just before output, it would be
more elegant to define another function that accepts the data and 
validates it as input. 

I understand what you are saying. But calling it input and output depend
on the point of view of the observer. I was (in my mind) segmenting it
into trust boundaries. Your trust your code, you don't trust the user.
User inputs data to your code, and your code output data to the user.

Perhaps we should just call it data validation, without explicitly
labeling it input and output. That way data validation can be applied
between trust boundaries, or application modules/functions.

(That way Jeff can keep it a Top 10 list ;)

What are your thoughts? 


Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]