WebApp Sec mailing list archives
Re: Lazy sanitizing of data for SQL queries
From: "Sverre H. Huseby" <shh () thathost com>
Date: Fri, 24 Jan 2003 22:00:21 +0100
[Sverre H. Huseby (that's me)] | Yes. What would you do for columns that were not textual? I'm answering myself, because I responded too quickly. My second objection (or confusion) goes like this: What would you gain? Instead of having to remember to always call a function to escape quotes, ensure numeric and so on, you would have to remember calling a function to do BASE64. I can't see what you win. And if that wasn't enough, you would _also_ have to remember to always call a function to decode BASE64 after reading from the database, so your scheme actually makes it all even more cumbersome. Not to mention all the hassle you must go through to manually inspect or edit the database. In addition, you must do calculations between BASE64 lengths and actual lengths when you define the tables (if you want to do length checks in the application). And finally (at least for this mail), you will run into problems if you allow other applications (beyond your control) to access the same database. Many applications grow far beyond the initial intent, so this scenario may be more likely than one first thinks (at least if you program a huge web application for a large customer). Sverre. PS: I'm a little bit angry with myself because I didn't immediately see the sorting problem mentioned by Phil Brass. :) -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- Re: Lazy sanitizing of data for SQL queries Sverre H. Huseby (Jan 24)
- Re: Lazy sanitizing of data for SQL queries Sverre H. Huseby (Jan 24)
- <Possible follow-ups>
- RE: Lazy sanitizing of data for SQL queries Brass, Phil (ISS Atlanta) (Jan 24)
- RE: Lazy sanitizing of data for SQL queries Lawrence, Gabriel (Jan 24)