[Owasp-delhi] input / output sanitization

dhar_ar at yahoo.com dhar_ar at yahoo.com
Mon Feb 1 10:55:46 EST 2010

My 2 paise/cents and bit more ;) :

1. "Could 'sanitization' (input sanitization) be an effective remedy for sql injection ?" - It could help but validation is better for sure for SQL Injection as mentioned by Venkat!

SQL Injection can also be prevented by simple design patterns that act as sanitizors. Example: OR mapping frameworks, Paremeterized stored procs (but deps on the proc), google it man :)

2. "For XSS, which is better, input sanitization or output sanitization ?"

There's already been a lot of discussion on this. 

Am not sure what Venkat means by "The same holds good for XSS as well" coz XSS is a different ball game. 

You could kill an ant with a bom or you may want to consider OWASP open source tools, Define a security policy that states from a web aspect what is permissable and what isn't and review it with IT / business users. 

Plus I wudnt put XSS validation at the data source level so for me its not the same coz having ever changing security policies mixed with low level sanitization would be a pain to mintain. 

..Its same in the basic principle of sanitization/validation. But approaching these two problems is different and requires thoght as per requirements.

3. Last but not the least; I don't think "Sanitize/Validate everything even internal" is always right. Just like you don't use "https" for every web page or synchronize every code block of code (overkills)  :). One has to look at the domain, requirements, usability, maintainability etc to decide. Idealistically if validation is not costly maybe but practically due to many reasons; maybe not!


Sent from BlackBerry® on Airtel

-----Original Message-----
From: <Venkatesh.Jagannathan at cognizant.com>
Date: Mon, 1 Feb 2010 11:25:28 
To: <sureshtiwary at rediffmail.com>; <owasp-delhi at lists.owasp.org>
Subject: Re: [Owasp-delhi] input / output sanitization

Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org

More information about the Owasp-delhi mailing list