cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Haul <h...@dvs1.informatik.tu-darmstadt.de>
Subject Re: A case of SQL injection
Date Tue, 05 Nov 2002 08:34:56 GMT
On 05.Nov.2002 -- 12:26 AM, Carl M?sak wrote:

[...]

> Today I have been thinking about what would really patch the security
> hole. What we're talking about here, by the way, is a phenomenon called
> 'SQL Injection', a term which should be familiar to every developer of web
> applications that interface with an SQL database. If you don't know about
> this security hasard, and your webapp uses SQL, you are through inaction
> placing your information, and thereby your users, at the mercy of
> competent (and not so competent) hackers!
> 
> I refer to the pdf
> 
> http://www.nextgenss.com/papers/advanced_sql_injection.pdf
> 
> for more information. Be aware that more than simple removal of 'bad
> characters' is needed in order to protect oneself fully -- ample examples
> and reasons are given in the paper.
> 
> My question, finally: Could future versions of Cocoon protect against this
> type of 'database rape' -- for example in the class

As the document points out, input validation is crucial. Cocoon offers
input validation through XMLForms and the *ValidatorActions,
e.g. the FormValidatorAction.

Another important aspect is not to compose a query from strings but
use PreparedStatements for that. This way the driver takes care that a
parameter is just a parameter and not a command. All the database
actions do that. ESQL does that, too, if the <esql:parameter/> tags
are used.

I don't see what could be done further.

HTH.

	Chris.
-- 
C h r i s t i a n       H a u l
haul@informatik.tu-darmstadt.de
    fingerprint: 99B0 1D9D 7919 644A 4837  7D73 FEF9 6856 335A 9E08

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message