DO NOT REPLY [Bug 33088] New: - RFE: validator against sql injection

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=33088>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=33088

           Summary: RFE: validator against sql injection
           Product: Struts
           Version: 1.2.4
          Platform: PC
               URL: http://prdownloads.sourceforge.net/owasp/OWASPGuideV1.1.
                    1.pdf?download
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Validator Framework
        AssignedTo: dev@struts.apache.org
        ReportedBy: hauser@acm.org


prepared statements appear to be the main prevention against such attacks
(http://www.mail-archive.com/struts-user@jakarta.apache.org/msg85146.html)

For those who cannot use prepared statements, wouldn't it be the easiests to
have all form fields that end up in db queries be filtered by validator.xml?

If (as per p.32 chapter 10 of) the OWASP guide not only an accept/reject
startegy, but also a sanitization strategy were to be taken in such an
implementation, the validator should "escape" offensive values in a reversible
way and the "unescape" methods should come along with it.

See also:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org