[thelist] SQL Update CORRECTION

Joshua Olson joshua at waetech.com
Mon Jul 19 09:34:15 CDT 2004


> -----Original Message-----
> From: Ken Schaefer
> Sent: Sunday, July 18, 2004 7:56 PM

> If you think that doubling quotes will get you out of most injection
> attacks then you didn't read the links that I posted previously.

Ken,

I cannot think of any SQL injection attack that is possible if you double
the single quotes on strings and convert to numbers all input value that are
going to be fed into numeric fields.  Ideally, the conversion routine would
convert the input value to 0 or throw an error if the value is non numeric.
Am I missing something?

> There are lots of good SQL Injection attack papers out there. Never
> make the mistake that you think you know the ways that an attacker can
> break into your application, especially when you're not in the
> professional security business.
>
> Explicitly choosing to /allow/ things rather than attempting to work
> out what to disallow is the correct way of handling things. For any
> new development, I don't see how this takes any longer than trying to
> work out what to disallow.

Do you have any specific approaches using this methodology that you prefer
to employ when dealing with the possibility of SQL Injection?

<><><><><><><><><><>
Joshua Olson
Web Application Engineer
WAE Tech Inc.
http://www.waetech.com/service_areas/
706.210.0168




More information about the thelist mailing list