cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Curdt <>
Subject Re: SQL Injections: Wrapup
Date Wed, 06 Nov 2002 00:47:49 GMT
On Wed, 2002-11-06 at 01:00, Carl Mäsak wrote:
> These are a few things in the "SQL Injection" thread that ring true to me
> (I here take the liberty of rephrasing people's opinions in my own words,
> but try to give due credit to the first one to bring up each topic):
> 1. Functionality for making a pretty secure SQL interface in Cocoon
> already exists today. Using PreparedStatements is a good example of this.
> (Christian Haul)

true - for SQL

> 2. Implementing enforced security to Cocoon might be possible, but perhaps
> not necessarily a Good Thing, adding unnecessary bulk to Cocoon, and it
> might not be all-encompassing/failsafe anyway. (Tosten Curdt)


> 3. SQL Inj:s really is an issue. It's easy to write (say) a login script
> that doesn't check against SQL Injections. (Geoff Howard)

we should fix this by using a prepared statement in the login action. 

> 4. Some users don't want additional protection. They are happy with the
> current level of (lack of) protection, and add their own as needed. (Peter
> Hunsberger)

AFAIU some would also like to have a centralized management...

> 5. Data type checking shouldn't have to be done by the Database Relational
> Management System, but by the application querying the DBMS. (Ilya
> Kriveshko)

...but in real world they do a pretty good job;)

> 6. There doesn't seem to be any explicit mention of SQL Injections in the
> Cocoon docs. (Torsten Cordt)

Christian, did you check the docs?

> Thanks again for all the relevant feedback.

Thanks for the summary :)

To unsubscribe, e-mail:
For additional commands, email:

View raw message