[OWASP-GUIDE] Guide Chapter 10 Thoughts

Christopher Todd chris at christophertodd.com
Tue Jan 28 13:43:05 EST 2003


> Chapter 11 and Chapter 10 both discuss data input validation.
> If we are looking at redoing chapt 10, we should also look
> at chapt 11.

An excellent point, some consolidation would be good.

> 	2) SQL Injection Attacks
>
> 	   The mitigation technique for this is not user input
> 	   validation, it is use of prepared statements to
> 	   execute queries, or failing that, data sanitization.

Actually, per discussion on the webappsec mailing list
http://online.securityfocus.com/archive/107/304740/2002-12-25/2002-12-31/0,
the general conclusion about PreparedStateents appears to be that while they
*often* are sufficient to mitigate SQL injection risks, they are no
guarantee.  There appears to be nothing in the JDBC provider spec that
requires PreparedStatement implementations to remove potentially malicious
characters, and an examination of a few open source JDBC providers reveals
that none of them do so.

So it seems apparent that input validation is still required, even if you
use PreparedStatements.  And using both provides defense in depth, which is
always good anyway.

Regards,
Chris





More information about the Owasp-guide mailing list