RE: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

Michael,

Of course, you are absolutely correct that all user input should be validated, and if it were validated perfectly and reliably, we would have no need for any other security measures to protect the application or its data stores. But defense in depth is a mantra for a reason - the programmer who wrote the validation routines may have screwed up, failed to account for something, etc. Furthermore, it is not uncommon for people's names to contain apostrophes or hyphens, and some folks get mad when you take those out of their names just because your programmer thinks he's being clever and removes those "dangerous" characters in the name of defeating SQL injection.

Aside from that, I am not writing the section of the Guide on input validation, someone else has already done that.

Chris

> -----Original Message-----
> From: Michael Howard [mailto:mikehow@microsoft.com]
> Sent: Tuesday, December 31, 2002 2:34 PM
> To: Jeff Williams @ Aspect; Kevin Spett; Dave Aitel;
> webappsec@securityfocus.com
> Subject: RE: JDBC PreparedStatements, Java Data Objects/O-R mapping, and
> SQL Injection
Received on Tue Dec 31 15:48:22 2002