You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by bu...@apache.org on 2005/01/13 20:49:06 UTC
DO NOT REPLY [Bug 33088] New: -
RFE: validator against sql injection
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33088>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=33088
Summary: RFE: validator against sql injection
Product: Struts
Version: 1.2.4
Platform: PC
URL: http://prdownloads.sourceforge.net/owasp/OWASPGuideV1.1.
1.pdf?download
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Validator Framework
AssignedTo: dev@struts.apache.org
ReportedBy: hauser@acm.org
prepared statements appear to be the main prevention against such attacks
(http://www.mail-archive.com/struts-user@jakarta.apache.org/msg85146.html)
For those who cannot use prepared statements, wouldn't it be the easiests to
have all form fields that end up in db queries be filtered by validator.xml?
If (as per p.32 chapter 10 of) the OWASP guide not only an accept/reject
startegy, but also a sanitization strategy were to be taken in such an
implementation, the validator should "escape" offensive values in a reversible
way and the "unescape" methods should come along with it.
See also:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org