cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Curdt <tcu...@dff.st>
Subject Re: A case of SQL injection
Date Tue, 05 Nov 2002 11:49:48 GMT
On Tuesday 05 November 2002 12:26, Leo Sutic wrote:
> > From: Christian Haul [mailto:haul@dvs1.informatik.tu-darmstadt.de]
> >
> > Another important aspect is not to compose a query from
> > strings but use PreparedStatements for that.
>
> IMO, input validation is a bad patch and *this* is the correct
> solution.

indeed

> The fundamental security flaw is the mixing of SQL commands with
> user input that isn't present when using prepared statements (or
> parameterized queries as they are called in ADO-land).

> With input validation you have to outsmart the hacker, making sure that
> you have covered *all* possible bad inputs and not any good input.

That's the wrong way. You do it the other way round: you define only the good 
input. Everything else gets discarded. That's MUCH safer.

> With prepared statements you win by without fighting.

This is true for SQL - but look at the new input modules where you get a 
request parameter and pass it to components or put it even into a path inside 
a sitemap!

> > I don't see what could be done further.
>
> Me neither.

Defining what is exspected to come with the request... no matter where.
--
Torsten

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message