DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=33088>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=33088 Summary: RFE: validator against sql injection Product: Struts Version: 1.2.4 Platform: PC URL: http://prdownloads.sourceforge.net/owasp/OWASPGuideV1.1. 1.pdf?download OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Validator Framework AssignedTo: dev@struts.apache.org ReportedBy: [EMAIL PROTECTED] prepared statements appear to be the main prevention against such attacks (http://www.mail-archive.com/struts-user@jakarta.apache.org/msg85146.html) For those who cannot use prepared statements, wouldn't it be the easiests to have all form fields that end up in db queries be filtered by validator.xml? If (as per p.32 chapter 10 of) the OWASP guide not only an accept/reject startegy, but also a sanitization strategy were to be taken in such an implementation, the validator should "escape" offensive values in a reversible way and the "unescape" methods should come along with it. See also: http://www.nextgenss.com/papers/advanced_sql_injection.pdf -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
