[thelist] form field safety

Ken Schaefer Ken at adOpenStatic.com
Sun Oct 26 21:37:33 CDT 2008 

Well, let's go back to injection first principles...

The reason you have SQL Injection problems in the first place is because we're mixing "code" and "data". So, in a forum where the delineation between the SQL code and the SQL data is innocuous (e.g. ASP.NET or PHP or something), we are trying to build a properly demarcated piece of SQL, and then sending it to the database for processing. Unfortunately, most people's code is buggy, so you get injection attacks.

One way to get around this is to rely on the application framework, and the people who write the database providers for such framework (e.g. whoever writes your OleDb provider or ODBC driver or SqlClient management provider). Generally they have put a lot more effort/testing into ensuring that their code is robust and can't be broken out of. Additionally, they may work with a database API to ensure that the database understands what is the "code" part, and which are data parameters. The database engine ensures that the "data" can't accidently be interpreted as "code" to be executed.

With SMTP, things are probably little bit simpler: the only "code" part are the SMTP headers (that can instruct the email client how to interpret the message body). As long as the client can't "inject" something into your email as a header, it's going to be part of the body. And if you can force the body to be displayed as plain text, then you're probably safe.

Cheers
Ken

> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org]
> On Behalf Of Joel D Canfield
> Sent: Monday, 27 October 2008 1:21 PM
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] form field safety
>
> > Just have the server email it to you as plain text. And make sure
> there
> > isn't any way that the submitted could "inject" a header into the SMTP
> > message - everything they submit must go into the SMTP body. When it
> gets
> > to your mail client, it's just a bunch of plain text...
> >
> > Cheers
> > Ken
>
> straightforward enough; I think my fevered mind was trying to complicate
> it based on my recent database debacles. no db involved here, so lesser
> debacle.
>
> thanks
>
> joel

More information about the thelist mailing list