WebApp Sec mailing list archives
Re: SQL Injection
From: <athena () buyukada co uk>
Date: Thu, 17 Jun 2004 15:26:06 +0100 (BST)
<delurk> Ok, this is a little simplistic but what the hell. I'm going use C, simply because it's fairly clear as to what's going on here, even though really this is the wrong language to do it in. Consider the following function (and lets just pretend that really its a web app function somewhere in an include). int foo(char *bar, int id){ printf("Your baltac was %s and you did %i Hello Yvettes\n", bar, id); return 0; } It's hideously insecure for a number of reasons. The most fundamental issue is the fact that this function trusts whatever's been passed to it. What we need to do is something like this: int foo(char *bar, int id){ char *expectedInput; bartok *baltac; expectedInput = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; if (validate(foo, expectedInput) != 0) return NULL; } expectedInput = "0123456789"; if (validate(id, expectedInput) != 0){ return NULL; } baltac.foo = foo; baltac.id = id; printf("Your baltac was %s and you did %i Hello Yvettes\n", bar, id); return *baltac; } Lets assume that in this case a simple check to ensure only expected characters provides a suitable level of validation for what we want to do. In the case above, foo doesn't need to validate the return value of the validate function because we know validate will return specific values.We know the foo() function will return a NULL if the validation fails and a pointer if it's ok. The calling function can then take action on a NULL and validate it if it isn't. We MIGHT want to validate the return value of foo as its a pointer to baltac - other operations performed on the values of baltac.foo and baltac.id mightresult in the contents no longer matching the expectedInput. IMHO you should validate whenever you're uncertain of the contents, be it in a function, a form field or whatever. Just my 0.02 groats, Steve
Current thread:
- Re: SQL Injection, (continued)
- Re: SQL Injection Frank Knobbe (Jun 16)
- Re: SQL Injection Jeff Williams (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 28)
- RE: SQL Injection Mutallip Ablimit (Jun 29)
- Re: SQL Injection gcb33 (Jun 29)
- Re: SQL Injection Alex Russell (Jun 16)
- RE: SQL Injection Clement Dupuis (Jun 14)
- Re: SQL Injection athena (Jun 17)
- Re: SQL Injection Frank Knobbe (Jun 21)