[prev in list] [next in list] [prev in thread] [next in thread]
List: webappsec
Subject: Re: Input validation
From: Peter Conrad <conrad () tivano ! de>
Date: 2003-06-23 8:26:10
[Download RAW message or body]
Hi,
On Thu, Jun 19, 2003 at 01:38:40PM -0400, Kooper, Larry wrote:
>
> When securing a web site against attacks such as SQL injection and XSS, what
> approach do you recommend following to validate user input?
>
> 1) Attempt to massage data so that it becomes valid
> 2) Reject input that is known to be bad
> 3) Accept only input that is known to be good
Depending on the circumstances, I use 1 and 3. Never use 2, it doesn't take
into account input that is bad but not known to be so. 1 can be used if
the user cannot provide invalid input without some form of "hacking", like
e. g. if there's a fixed SELECT list and the input doesn't match any of the
available OPTIONs.
> The problem with solutions 1 and 2 is that you may miss some forms of bad
> input. Another subtle problem with solution 1 and 2 is that sometimes bad
> input can be embedded in good input. For example, if someone searches for
> "director's selections" the string "select" would be rejected (as a SQL
> command), resulting in "director's ions."
A string containing "select" is not bad input. The point is that you must
properly escape and quote strings before passing them to e. g. a database.
Bye,
Peter
--
Peter Conrad Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH Fax: +49 6102 / 80 99 071
Bahnhofstr. 18
63263 Neu-Isenburg
Germany
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic