Posted by wayne on 05/24/07 09:03

Adrienne Boswell wrote:
> Gazing into my crystal ball I observed Toby A Inkster
> <usenet200703@tobyinkster.co.uk> writing in
> news:0o3di4-s96.ln1@ophelia.g5n.co.uk:
>
>> Adrienne Boswell wrote:
>>> wayne:
<snip>
>> Surely, "not testing for single quotes" falls into the category of not
>> "check[ing] each field for valid input characters"?
>>
>
> You would be surprised - there's stored procedures where it doesn't
> matter, and there's replacing single quotes with another character, a
> tidle is often a choice. Some developers are working with Access
> databases, and don't know how/what a stored procedure is. If the
> developer doesn't write it into a function, and has to write field =
> replace(field,"'","~") a whole bunch of times, they can get lazy and
> forget one - for example a phone number. The developer thinks "Oh, phone
> numbers don't have single quotes, and no one is going to put a single
> quote in a phone number, so no need for a check" -- and that's where the
> injection takes place.
>

If you were copying files to your web server, wouldn't you check
permissions so others could not write to them? If you set any of the
permissions to "777" and your web site is compromised, isn't that your
fault?

If a developer is writing databases, he/she MUST test all fields and
code. Part of testing requires entering characters not needed for a
field (like special characters in numerical or text fields) and see if
the form allows this. If the developer does not do this, there are
plenty of hackers that will test the code for them ;


--
Wayne
www.glenmeadows.us
"I cannot imagine a God who rewards and punishes the objects of his
creation, whose purposes are modeled after our own -- a God, in short,
who is but a reflection of human frailty. Neither can I believe that the
individual survives the death of his body, although feeble souls harbor
such thoughts through fear or ridiculous egotism." [Einstein]

[Back to original message]