[OWASP-GUIDE] Guide Chapter 10 Thoughts

Gene McKenna mckenna at bluedot.com
Tue Jan 28 16:59:15 EST 2003


> Actually, per discussion on the webappsec mailing list
> http://online.securityfocus.com/archive/107/304740/2002-12-25/2002
> -12-31/0,
> the general conclusion about PreparedStateents appears to be that
> while they
> *often* are sufficient to mitigate SQL injection risks, they are no
> guarantee.  There appears to be nothing in the JDBC provider spec that
> requires PreparedStatement implementations to remove potentially malicious
> characters, and an examination of a few open source JDBC providers reveals
> that none of them do so.

That's a good point. I was researching this in the JDBC spec
when we did the 1.1 version and came to the same conclusion.
I think in the 1.1 version I stated that developers should test
their JDBC driver to see how it behaves. Many of the commercial
ones do work. I will make sure the 1.2 version still says this,
I think it might have come out unintentionally.

However, we have to be careful when we say input validation
in this context. Input validation for SQL Injection mitigation
is very different from input validation for Embedded HTML
Tag mitigation. The text in the 1.2 version in chapter 11
states this.

> So it seems apparent that input validation is still required, even if you
> use PreparedStatements.  And using both provides defense in
> depth, which is always good anyway.

Yes, and that is what it says in Chapter 11. If you think
it isn't clear, please let me know.

GENE






More information about the Owasp-guide mailing list