It’s impossible to overemphasize the need to sanitize user input that will be displayed to users in a Web application. Just ask MySpace.
It’s impossible to overemphasize the need to sanitize user input that will be displayed to users in a Web application. Just ask MySpace.
© 2024 rc3.org
Theme by Anders Noren — Up ↑
October 14, 2005 at 2:01 pm
And the real shame is that often it is very simple to sanitize input.
For example, if you are pulling in record numbers, currency values, dates, etc., it is trivially easy to convert these to their native formats and then plug it right back into your sql statement.
For example:
All too often, I’ll actually see something like
And then it is SQL-injection city.
The amount of code that is vulnerable in this way is mind-boggling. Every industry and company I’ve ever worked had critical, production code with these same issues. Based upon the lack of any stories in the MSM, I believe either the companies are very good at covering up/blisfully ignoring break-ins, most attacks are the result of blind luck, or most crackers are dumber than a box o’ rocks. Or all three.
October 14, 2005 at 3:18 pm
True, there are trivial checks out there.
But this exploit was really nasty/tricky. Parts of it rely on browser bugs, like treating “javascript” with an embedded newline as the proper value. Hard to protect against that.