Re: Input validation

Hi,

On Thu, Jun 19, 2003 at 01:38:40PM -0400, Kooper, Larry wrote:
>
> When securing a web site against attacks such as SQL injection and XSS, what

Depending on the circumstances, I use 1 and 3. Never use 2, it doesn't take into account input that is bad but not known to be so. 1 can be used if the user cannot provide invalid input without some form of "hacking", like e. g. if there's a fixed SELECT list and the input doesn't match any of the available OPTIONs.

> The problem with solutions 1 and 2 is that you may miss some forms of bad

A string containing "select" is not bad input. The point is that you must properly escape and quote strings before passing them to e. g. a database.

Bye,

        Peter

-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18
63263 Neu-Isenburg

Germany

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek