WebApp Sec mailing list archives

Re: SQL Injection

From: Stephen de Vries <stephen () corsaire com>
Date: Wed, 16 Jun 2004 09:56:19 +0100

From: Frank Knobbe <frank () knobbe us>
Date: 15 June 2004 21:09:33 BST
To: webappsec () securityfocus com
Cc: mark () curphey com, Stephen de Vries <stephen () corsaire com>
Subject: Re: SQL Injection

   <snip>


But the basic fact is that you have TWO checkpoints. Checking data on
input and checking data on output.

From a practical point of view I understand what you're saying, butfrom a design point of view, I think there are more elegant ways ofachieving this. When designing an application as a whole, it would bepossible to implement both input and output validation since it's quiteeasy to determine which functions output data to which components. Butwhen design starts becoming more modular, each function or componentneeds more independence and won't necessarily know where it's output isgoing to be used. Since it doesn't know where the output will be used,it can't know how it should be validated and/or sanitized.But I think we agree that the data must be validated at some point, soinstead of validating it in a function just before output, it would bemore elegant to define another function that accepts the data andvalidates it as input. For example, consider a function that reads atext file and displays the contents to a browser. Using outputvalidation the process would be (and please excuse my atrociouspseudo-code):


Function: ReadAndDisplay
1.  Read file
2.  Sanitize the output for viewing in a browser
3.  Return output

Using only input validation to achieve the same thing, the functionwould be split into two distinct functions each dealing with it's ownprocessing context:


Function: ReadFile
1.  Read file

2. Return output (since this functions purpose is to read a file andreturn the contents, irrespective of where that content is used - theoutput is not validated)


Function: DisplayToBrowser
1.  Read input (from function: ReadFile)

2. Sanitize input (and since this function deals with browsers, itknows that it should sanitize input for display in a browser)

3.  Return output

Both achieve the same result, but I believe the second example is abetter solution in large applications since it is more modular anddraws clearer boundaries between data processing contexts.




Stephen

Current thread:

Re: SQL Injection, (continued)
- - - Re: SQL Injection Alex Russell (Jun 17)
    - Re: SQL Injection Frank Knobbe (Jun 16)
    - Re: SQL Injection Jeff Williams (Jun 16)
    - Re: SQL Injection Frank Knobbe (Jun 16)
    - Re: SQL Injection Frank Knobbe (Jun 28)
    - RE: SQL Injection Mutallip Ablimit (Jun 29)
    - Re: SQL Injection gcb33 (Jun 29)
    - Re: SQL Injection Alex Russell (Jun 16)
- Re: SQL Injection Jeff Williams (Jun 14)
  - RE: SQL Injection Clement Dupuis (Jun 14)
- Re: SQL Injection Stephen de Vries (Jun 17)
  - Re: SQL Injection athena (Jun 17)
  - Re: SQL Injection Frank Knobbe (Jun 21)