Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 010343.html (Request Expert securityfocus.com Support)

Re: Lazy sanitizing of data for SQL queries

From: Sverre H. Huseby <shh(at)thathost.com>
Date: Fri Jan 24 2003 - 16:00:21 EST

[Sverre H. Huseby (that's me)]

| Yes. What would you do for columns that were not textual?

I'm answering myself, because I responded too quickly. My second objection (or confusion) goes like this:

What would you gain? Instead of having to remember to always call a function to escape quotes, ensure numeric and so on, you would have to remember calling a function to do BASE64. I can't see what you win.

And if that wasn't enough, you would _also_ have to remember to always call a function to decode BASE64 after reading from the database, so your scheme actually makes it all even more cumbersome.

Not to mention all the hassle you must go through to manually inspect or edit the database. In addition, you must do calculations between BASE64 lengths and actual lengths when you define the tables (if you want to do length checks in the application).

And finally (at least for this mail), you will run into problems if you allow other applications (beyond your control) to access the same database. Many applications grow far beyond the initial intent, so this scenario may be more likely than one first thinks (at least if you program a huge web application for a large customer).

Do you need help?X

Sverre.

PS: I'm a little bit angry with myself because I didn't immediately

    see the sorting problem mentioned by Phil Brass. :) 

-- 
shh@thathost.com		Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/	
http://nerdquiz.thathost.com/
Received on Fri Jan 24 16:10:06 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library