[thelist] sql injection problem
Brian Cummiskey
Brian at hondaswap.com
Mon Sep 25 13:20:24 CDT 2006
Chris at globet.com wrote:
> If you receive invalid input, why are you then processing it instead of
> ceasing all processing and informing the user that they have entered
> invalid input? If someone's trying to hack your system, they're trying
> to hack your system. Although I don't really like real world
> comparisons, please forgive the following: If there's a burglar at my
> front door, I would feel safer not letting him in at all rather than
> giving him a quick pat-down for illegal weapons then letting him in.
>
Understood. I'm just not sure if there's a good way to do this.
The ncat is a text string which denotes a Category. They are written
weird, inconsistent, and contain both alpha and numeric characters, one
or a mix of the two.
> I would personally URL-decode the
> input value, then check that it contained only alpha/numeric characters
> and spaces (or whatever your criteria are). If any further system
> vulnerabilities are discovered, you're unlikely to be compromised.
>
So, once i url-decode, I still need to strip out the SCRIPT, INSERT, etc
etc, no? I don't see how this helps much. It saves a little time over
replacing all the single/double quotes, but in the end, i still need to
replace out the commands.
Or am I not following?
Thanks,
More information about the thelist
mailing list