[thelist] SQL Update CORRECTION

John.Brooking at sappi.com John.Brooking at sappi.com
Fri Jul 16 14:54:22 CDT 2004 

> Date: Fri, 16 Jul 2004 15:08:13 +0100
> From: Jason Robbins <evolt at whisky-fudge.org.uk>
> To: "thelist at lists.evolt.org" <thelist at lists.evolt.org>
> Subject: Re: [thelist] SQL Update CORRECTION
> 
> Question - If I went through each string before using it 
> as a parameter to search for quotes and either refussed 
> to run the sql statement or deleted the quotes first - 
> would that solve the majority of sql injection attacks?

>From the Security chapter of O'Reilly's "CGI Programming with Perl", 2nd
Edition (I think the concept applies here too):

"The right way is not to make a list of what to disallow. The right way is
to make a list of what to allow. This makes the solution much more
manageable. If you start by saying that anything goes and looking for those
things that cause problems, you will spend a long time looking. There are
countless combinations to check. If you say that nothing goes and then
slowly add things, you can check each of these as you add them and confirm
that nothing will slip past you. If you missed something, you have
disallowed something you should allow, and you can correct the problem by
testing it and adding it. This is a much safer way to error."

"... It's never a good idea to simply trust someone else who provides you a
'definitive' list ... to check against. You are the one who is accountable
for your code, so you should fully understand why and how your code works,
and not place blind faith in others."

I'm not preaching, I'm just quoting. These sound like wise suggestions to
me, and I try to code by them.

I'd make this into a tip, but since it's a direct quote from copyrighted
material, I'm not sure I should...

John Brooking, Application Developer
Sappi Fine Paper
South Portland, ME, 04106 USA
-- 
 

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like.

More information about the thelist mailing list