On Thu, Sep 2, 2010 at 11:47 AM, Nathan Schultz <[email protected]> wrote: > I'm a little surprised by comments that most dev's wouldn't know what a SQL > Injection attack was. Most developers I've worked with have a class with > some kind with a function to sanitizing data against SQL Injection. > > These days you don't see them used so often as SQL Parameters / Linq to SQL > / Entity Framework / nHibernate, etc all offer protection against SQL > Injection attacks. And many frameworks, such as MVC are making it easier > then ever to protect against XSS attacks (and CSRF vulnerabilities to an > extent), by making default syntax encode HTML.
It is *critical* that people realise things need to be encoded for *context*, not just "HTML". I.e. what is valid output in a area such as: <p>$foo</p> Is not valid when used here: <a href="$foo">silky</a> It's obvious when stated, but it's easy to miss, and having everything "done for you", doesn't help, unless it's context-aware (which would be great). -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
