[thelist] SQL Update CORRECTION

Ken Schaefer ken.schaefer at gmail.com
Sun Jul 18 18:56:16 CDT 2004


If you think that doubling quotes will get you out of most injection
attacks then you didn't read the links that I posted previously.

There are lots of good SQL Injection attack papers out there. Never
make the mistake that you think you know the ways that an attacker can
break into your application, especially when you're not in the
professional security business.

Explicitly choosing to /allow/ things rather than attempting to work
out what to disallow is the correct way of handling things. For any
new development, I don't see how this takes any longer than trying to
work out what to disallow.

Cheers
Ken


On Fri, 16 Jul 2004 23:06:55 +0100, Jason Robbins
<evolt at whisky-fudge.org.uk> wrote:
> John.Brooking at sappi.com wrote:
> >>From the Security chapter of O'Reilly's "CGI Programming with Perl", 2nd
> > Edition (I think the concept applies here too):
> >
> > "The right way is not to make a list of what to disallow. The right way is
> > to make a list of what to allow. This makes the solution much more
> > manageable. If you start by saying that anything goes and looking for those
> > things that cause problems, you will spend a long time looking. There are
> > countless combinations to check. If you say that nothing goes and then
> > slowly add things, you can check each of these as you add them and confirm
> > that nothing will slip past you. If you missed something, you have
> > disallowed something you should allow, and you can correct the problem by
> > testing it and adding it. This is a much safer way to error."
> >
> > "... It's never a good idea to simply trust someone else who provides you a
> > 'definitive' list ... to check against. You are the one who is accountable
> > for your code, so you should fully understand why and how your code works,
> > and not place blind faith in others."
> It is sound advice and the same advice I give to everyone I meet but not
> always practical! Time and quick solutions are often the ones that are
> need even if they are not the better of solutions.
> 
> Jas


More information about the thelist mailing list