On Tuesday 05 November 2002 12:26, Leo Sutic wrote: > > From: Christian Haul [mailto:haul@;dvs1.informatik.tu-darmstadt.de] > > > > Another important aspect is not to compose a query from > > strings but use PreparedStatements for that. > > IMO, input validation is a bad patch and *this* is the correct > solution.
indeed > The fundamental security flaw is the mixing of SQL commands with > user input that isn't present when using prepared statements (or > parameterized queries as they are called in ADO-land). > With input validation you have to outsmart the hacker, making sure that > you have covered *all* possible bad inputs and not any good input. That's the wrong way. You do it the other way round: you define only the good input. Everything else gets discarded. That's MUCH safer. > With prepared statements you win by without fighting. This is true for SQL - but look at the new input modules where you get a request parameter and pass it to components or put it even into a path inside a sitemap! > > I don't see what could be done further. > > Me neither. Defining what is exspected to come with the request... no matter where. -- Torsten --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
