Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

Hi Anurag -

On 4/10/06, Anurag Agarwal <a_agrawwal@xxxxxxxxx> wrote:
> There are three things parameterized query, dynamic query and then stored
> procedures. I understand what you are trying to convey here and again as
> mentioned in the article, if the array strings you are passing as a
> parameter to the stored procedure are the input from the user then they
> should be validated (point 10: Sanitizing the input) using the validation
> technique mentioned at the bottom of the article. Though i have given an
> example in java but i hope you can get some idea by that. Please also note
> that all the input needs to be validated irrespective of whether it goes as
> a parameterized query, dynamic SQL or to a stored procedure.

In your example, your valdation routine accepts strings that consist
of only alphanumerics and the '_' character.  Is it necessary to be
this strict if you are using java PreparedStatement, or can you safely
pass arbitrary data as a parameter to a prepared statement?

I ask because for certain types of data, such as usernames that may
contain any unicode character, using a whitelist to validate that the
characters are valid isn't practical.  Can you rely on
PreparedStatement to protect you from SQL injection in such a case?

Regards,
Brian

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/