WebApp Sec mailing list archives
Database Encryption -- Sql Injection
From: "Dave Bergert" <dbergert () nobel-net com>
Date: Mon, 21 Apr 2003 20:31:48 -0500
Does any one have any comments on where best to incorporate Column level encryption in a Database field? At the Database Server level (via a User Defined Function) or at the Application Level. Which would be less impervious to SQL Injection? I am on a MS-SQL 2000 and IIS Platform. If I had a User Defined Function for example: Select decrypt(AccountNumber, "key") from tblTable where User = 'someuser' If SQL Injection occurs: Select decrypt(AccountNumber, "key") from tblTable where User = 'someuser' or 1=1 In this case if SQL injection occurs the encrypted field will be automatically decrypted by the UDF... Showing all accountNumbers... If I had the Decryption handled at the Application: Select encryptedAccountNumber from tblTable where User = 'someuser' And had the application call: AccountNumber = DecryptFunction (ResultSet ("encryptedAccountNumber" ), "key") If SQL Injection occurs, the only way data could be seen if through whatever mechanism the application displays the AccountNumber (Are these scenarios identical ?) I know that encryption is not a substitution for good input sanity validation. Which method would be better to implement? Thanks for comments. Regards, Dave Bergert
Current thread:
- Database Encryption -- Sql Injection Dave Bergert (Apr 21)
- <Possible follow-ups>
- RE: Database Encryption -- Sql Injection Logan F.D. Greenlee (Apr 21)
- Re: Database Encryption -- Sql Injection Kevin Spett (Apr 24)
- RE: Database Encryption -- Sql Injection Dave Bergert (Apr 24)
- Re: Database Encryption -- Sql Injection Kevin Spett (Apr 24)
- RE: Database Encryption -- Sql Injection Brass, Phil (ISS Atlanta) (Apr 24)