WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL Injection

From: "Sverre H. Huseby" <shh () thathost com>
Date: Wed, 16 Jun 2004 19:55:46 +0200
[David Cameron]

|   Suppose you have a comments which is represented at the web app as
|   a textbox and in the database as a VarChar(2000) column. Consider
|   the case where someone enters 2001 characters into the field. As
|   far as the web application is concerned, text is text and how much
|   text should be allowed is a concern for the database.

My current view:

The length of the field in the database is not an SQL metacharacter
problem, and thus should not (necessarily) be handled in the interface
between the app and the database.  By specifying a length restriction
when defining the table, one in fact says that "in this application
the comment is limited to 2000 chars".  It may be seen as an
application constraint, not a database constraint.  If you accept that
view, then the length check belongs with the input validation part of
the code (the boundary between the client ant the app).  Input
validation is supposed to make sure incoming data matches the
expectations (or rules) of the application.

If the input validation part fails to check the length restriction
(and you agree that it should have done it), then an appropriate
action upon an error return from the database would be to throw an
exception (or equivalent).  Parts of the code have failed to do its
job, and it makes no sense to continue.


Sverre.

-- 
shh () thathost com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/
Previous By Date Next
Previous By Thread Next

Current thread: