Andrea Aime ha scritto: > Andrea Aime ha scritto: >> Andrea Aime ha scritto: >>> [email protected] ha scritto: >>>> Some thoughts from my side. >>>> >>>> 1) Using a regexp to avoid sql injection is a nice idea. But I think >>>> most developers are not familiar with regexps and thus, the regexp >>>> mostly used will be ".*" opening the door for all kind of sql injection >>>> attacks. Why not use prepared (callable) statements ?. >>> Because the user sponsoring this requires to change parts of the query, >>> not just values. So prepared statements are useless, there is no funding >>> for that approach. >>> If the PSC feels strongly against pure substitution + regexp (like >>> MapServer does) >> Right, it may be interesting to show how MapServer handles the param >> substitution (it's really the same way I'm proposing): >> http://mapserver.org/cgi/runsub.html > > Btw, I'm wondering if we can find a middle ground about this by > prividing a set of pre-cooked regular expression to match a string > content, a number and so on so that one does not need to be a > regexp wizard to setup proper protection.
Btw, this topic seems to be popular on the net, I've found a registry of regexps designed to prevent injection on particular argument types: http://www.owasp.org/index.php/OWASP_Validation_Regex_Repository See also this: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet in the "white list input validators" section Cheers Andrea -- Andrea Aime OpenGeo - http://opengeo.org Expert service straight from the developers. ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Geotools-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geotools-devel
