On 05.Nov.2002 -- 12:26 AM, Carl M?sak wrote: [...]
> Today I have been thinking about what would really patch the security > hole. What we're talking about here, by the way, is a phenomenon called > 'SQL Injection', a term which should be familiar to every developer of web > applications that interface with an SQL database. If you don't know about > this security hasard, and your webapp uses SQL, you are through inaction > placing your information, and thereby your users, at the mercy of > competent (and not so competent) hackers! > > I refer to the pdf > > http://www.nextgenss.com/papers/advanced_sql_injection.pdf > > for more information. Be aware that more than simple removal of 'bad > characters' is needed in order to protect oneself fully -- ample examples > and reasons are given in the paper. > > My question, finally: Could future versions of Cocoon protect against this > type of 'database rape' -- for example in the class As the document points out, input validation is crucial. Cocoon offers input validation through XMLForms and the *ValidatorActions, e.g. the FormValidatorAction. Another important aspect is not to compose a query from strings but use PreparedStatements for that. This way the driver takes care that a parameter is just a parameter and not a command. All the database actions do that. ESQL does that, too, if the <esql:parameter/> tags are used. I don't see what could be done further. HTH. Chris. -- C h r i s t i a n H a u l [EMAIL PROTECTED] fingerprint: 99B0 1D9D 7919 644A 4837 7D73 FEF9 6856 335A 9E08 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
