WebApp Sec mailing list archives

Re: SQL Injection Basics

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 11 Feb 2003 20:48:45 +0100

[dreamwvr () dreamwvr com]

|   Well IMO why not simply filter out all non alpha and integers.
|   logging everything else and not allowing to form a SQL statement
|   at all? Then allow very select special characters like ; only in
|   a specific position. Just my 2 cents.

Because that's not the general solution.  If you program, say, a bank
application, you cannot simply say that nobody named O'Connor will be
allowed to register.  If you program a discussion site for
programmers, you cannot remove selected characters from the notes,
because the program snippets people would like to include may
legitimately contain some of those special characters.

The problem is that input validation is _not_ about filtering for all
possible subsystems (such as databases) to which you intend to pass
data.  For some types of input you may put strict limitations to what
characters are accepted.  For others you may not.  No serious customer
in the world will accept that "we cannot allow quotes and backslashes
in the input because the database will choke."

No matter what restrictions you put on valid input, you may have to
escape some characters before passing data along to a subsystem.  And
that's what it's all about.

The OWASP (www.owasp.org) Filters project introduces the term
"boundary filtering" [1]: You do input validation when data passes the
boundary/border between the client and your application.  And you do
subsystem filtering when the data passes from your application to one
of many possible subsystems, including the end users' browsers (to
prevent Cross-site Scripting).  The "boundary filtering" approach is
the most ingenious method proposed so far, IMNSHO.  And to be even
less humble, it's the same kind of filtering I (and most likely more
people) have preached for the last couple of years, although I failed
to come up with that cool term.  Drats.  :)


Sverre.

1: Until someone tells me otherwise, I give Alex Russell the credit
   for that cool term, because I first saw it in one of his documents.

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/

Current thread:

Re: SQL Injection Basics, (continued)
- - - Re: SQL Injection Basics Taco Fleur (Feb 10)
    - RE: SQL Injection Basics Robert Nilsen (Feb 10)
    - Re: SQL Injection Basics Dirk Gomez (Feb 10)
    - RE: SQL Injection Basics Keith Smith (Feb 10)
    - Re: SQL Injection Basics Kevin Spett (Feb 10)
    - Re: SQL Injection Basics Dejan Bosanac (Feb 11)
    - Re: SQL Injection Basics Dirk Gomez (Feb 11)
    - Re: SQL Injection Basics Dejan Bosanac (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics Alex Russell (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics Alex Russell (Feb 11)
    - Re: SQL Injection Basics Jerry Connolly (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Jerry Connolly (Feb 11)

(Thread continues...)