------------------------ [EMAIL PROTECTED] wrote: ------------------------ [snip] >I refer to the pdf > >http://www.nextgenss.com/papers/advanced_sql_injection.pdf
Wow, very interesting read. I for one wasn't aware of this problem. It's really nice to have a sysadmin sharing his experiences. Usually, that's a far-from-my-bed-show for most of us, but I surely think it's refreshing. >for more information. Be aware that more than simple removal of 'bad >characters' is needed in order to protect oneself fully -- ample examples >and reasons are given in the paper. > >My question, finally: Could future versions of Cocoon protect against this >type of 'database rape' -- for example in the class >org.apache.cocoon.acting.DatabaseAuthenticatorAction? Would this be a >sensible place to put the protection? To me it has the immediate advantage >that I don't have to write any extra code -- no, seriously. For every >webapp that I write -- and anyone I can think of, for that matter -- this >type of protection would be necessary for a login system even to be >useful. Why not put the few if statements in DatabaseAuthenticatorAction? Well, AFAIU the pdf, there is no "magic solution" to the problem. In fact, there are 3 solutions proposed, each with their advantages and disadvantages. Which one would you like to see implemented? And would that one be satisfactory for all cocoon users? >Until this question is settled, I will of course have to insert some kind >of patch into my webapp. But it would be nice if such controls were done >automatically in the future. I agree. Now "all" we have to do is to design the magical solution :-) >Thank you for your attention. Thank you for your refreshing input. tomK --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
