WebApp Sec mailing list archives
Re: SQL Injection Basics
From: Alex Russell <alex () netWindows org>
Date: Mon, 10 Feb 2003 15:50:16 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 11 February 2003 01:48 pm, Sverre H. Huseby wrote:
The OWASP (www.owasp.org) Filters project introduces the term "boundary filtering" [1]: You do input validation when data passes the boundary/border between the client and your application.
Thanks for the kind words Sverre = )
And you do subsystem filtering when the data passes from your application to one of many possible subsystems, including the end users' browsers (to prevent Cross-site Scripting). The "boundary filtering" approach is the most ingenious method proposed so far, IMNSHO.
Well, it's nothing new. I recently gave a talk on the Filters project and began the talk by saying that "there is nothing academically interesting about the OWASP filters project". We are simply attempting to provide a single point of contact/reference for what people _should_ be doing anyway (but quite obviously aren't). Defense in depth is nothing new, but it's kind of entertaining watching people rediscover it over and over again.
1: Until someone tells me otherwise, I give Alex Russell the credit for that cool term, because I first saw it in one of his documents.
I'm pretty sure the concepts of defense in depth will be traceable as far back as someone has had something someone else wanted, and someone was able to write it down. = ) - -- Alex Russell alex () netWindows org alex () SecurePipe com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+SB6YoV0dQ6uSmkYRAvs3AJ9YYIHklnoxKL8M1gEBwwGQ1V1DFQCfXU86 X+FuRdlATpPLM1VkrIl0mxI= =h0+6 -----END PGP SIGNATURE-----
Current thread:
- RE: SQL Injection Basics, (continued)
- RE: SQL Injection Basics Keith Smith (Feb 10)
- Re: SQL Injection Basics Kevin Spett (Feb 10)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Dirk Gomez (Feb 11)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics Ken Anderson (Feb 11)
- Re: WebSleuth and the SQLInjeciton Plugin Chip Andrews (Mar 10)