[thelist] sql injection problem

Brian Cummiskey Brian at hondaswap.com
Mon Sep 25 13:20:24 CDT 2006


Chris at globet.com wrote:
> If you receive invalid input, why are you then processing it instead of
> ceasing all processing and informing the user that they have entered
> invalid input? If someone's trying to hack your system, they're trying
> to hack your system. Although I don't really like real world
> comparisons, please forgive the following: If there's a burglar at my
> front door, I would feel safer not letting him in at all rather than
> giving him a quick pat-down for illegal weapons then letting him in.
>   
Understood.  I'm just not sure if there's a good way to do this.
The ncat is a text string which denotes a Category.  They are written 
weird, inconsistent, and contain both alpha and numeric characters, one 
or a mix of the two.
> I would personally URL-decode the
> input value, then check that it contained only alpha/numeric characters
> and spaces (or whatever your criteria are). If any further system
> vulnerabilities are discovered, you're unlikely to be compromised.
>   

So, once i url-decode, I still need to strip out the SCRIPT, INSERT, etc 
etc, no?  I don't see how this helps much.  It saves a little time over 
replacing all the single/double quotes, but in the end, i still need to 
replace out the commands.
Or am I not following?


Thanks,



More information about the thelist mailing list