WebApp Sec mailing list archives

Re: SQL Injection Basics

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 11 Feb 2003 23:09:12 +0100

[Alex Russell]

|   Thanks for the kind words Sverre = )

You're welcome! :)

|   > 1: Until someone tells me otherwise, I give Alex Russell the credit
|   >    for that cool term, because I first saw it in one of his documents.
|   
|   I'm pretty sure the concepts of defense in depth will be traceable
|   as far back as someone has had something someone else wanted, and
|   someone was able to write it down. = )

I'm not crediting you for "defense in depth", but for the term
"boundary filtering" as used in the context of a web application.  The
term makes it perfectly clear how filtering should be done, not only
to have defense in depth, but to have things that actually work, even
if there is no attack going on.

What do I mean by "things that actually works"?  Say that one user
registers as "O'Connor" (my favorite, troublesome name).

The "input validation" people (for example those thinking that PHP's
magic_quotes saves them) will escape the quote when the guy enters his
name.  Then they will store the name in the database.  That's all for
the troublesome quote character: It was dealt with at input time, and
will never be dealt with again.  Now say that part of the application
logic reads names from the database and stores them in another table
using dynamic SQL queries.  The "input validation" people will run
into trouble as the quote shows up in an SQL string constant again.

The "boundary filtering" people, on the other hand, do not escape the
quote character as it comes in, but rather as they pass it to the
database.  _Every_time_ they pass a string to the database, that is.
They will never run into the "second order" problem described above.

Most web developers should stop thinking about "input validation", and
start thinking about "boundary filtering".  Not because input
validation is unimportant, but because boundary filtering is broader.
It even covers input validation.  That's why I think the term is
ingenious: It is a well formulated term for the correct approach,
compared to the old term that just focuses on one (small) part of the
application boundary.


Sverre.

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/

Current thread:

Re: SQL Injection Basics, (continued)
- - - Re: SQL Injection Basics Kevin Spett (Feb 10)
    - Re: SQL Injection Basics Dejan Bosanac (Feb 11)
    - Re: SQL Injection Basics Dirk Gomez (Feb 11)
    - Re: SQL Injection Basics Dejan Bosanac (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics Alex Russell (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics Alex Russell (Feb 11)
    - Re: SQL Injection Basics Jerry Connolly (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Jerry Connolly (Feb 11)
    - Re: SQL Injection Basics Ken Anderson (Feb 11)
  - WebSleuth and the SQLInjeciton Plugin Phil Cox (Mar 10)
    - Re: WebSleuth and the SQLInjeciton Plugin Chip Andrews (Mar 10)
- Re: SQL Injection Basics davy van de moere (Feb 09)

(Thread continues...)