WebApp Sec mailing list archives

Re: SQL Injection

From: Frank Knobbe <frank () knobbe us>
Date: Wed, 16 Jun 2004 11:17:29 -0500

On Wed, 2004-06-16 at 03:56, Stephen de Vries wrote:

But I think we agree that the data must be validated at some point, so
instead of validating it in a function just before output, it would be
more elegant to define another function that accepts the data and 
validates it as input.



I understand what you are saying. But calling it input and output depend
on the point of view of the observer. I was (in my mind) segmenting it
into trust boundaries. Your trust your code, you don't trust the user.
User inputs data to your code, and your code output data to the user.

Perhaps we should just call it data validation, without explicitly
labeling it input and output. That way data validation can be applied
between trust boundaries, or application modules/functions.

(That way Jeff can keep it a Top 10 list ;)

What are your thoughts? 

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: SQL Injection, (continued)
- - - Re: SQL Injection Jeff Williams (Jun 16)
    - Re: SQL Injection Frank Knobbe (Jun 16)
    - Re: SQL Injection Frank Knobbe (Jun 28)
    - RE: SQL Injection Mutallip Ablimit (Jun 29)
    - Re: SQL Injection gcb33 (Jun 29)
    - Re: SQL Injection Alex Russell (Jun 16)
- Re: SQL Injection Jeff Williams (Jun 14)
  - RE: SQL Injection Clement Dupuis (Jun 14)
- Re: SQL Injection Stephen de Vries (Jun 17)
  - Re: SQL Injection athena (Jun 17)
  - Re: SQL Injection Frank Knobbe (Jun 21)