Hi all, Was going through the mail list and came across this topic,
I agree with David on some of the parts but i have some comments: > > I have setup mod_security in my httpd. David >>If I were you, I would not trust anything with this name. Security is a tricky and complicated issue, and pretty much by definition, it is not a software component you can just install. Although it is not a complete solution to the SQL injection, it can be useful in providing a 1st layer defense in deterring the attacker from further testing with injection tools which might consume bandwidth and server resources. This component does help reducing attack to maybe about 30% or less, but it is nevertheless important..why you might ask because lets say there is a 0day that targets a module(injection wise) in your application that is not designed by you, the component could probably thwart the attacks till you apply the proper fixes. > > sanitize your input to prevent SQL injection David >> Despite its appearance in an xkcd comic (http://xkcd.com/327/), that's a large mistake. You are going to screw yourself over if you imagine that any level of "sanitizing inputs" will actually protect you from attackers. The vast majority of SQL injection attacks come from one single serious strategic mistake on the defender's part, namely taking untrusted input and creating executable code out of it by string concatenation. I agree with this because sanitizing is the "cheapo or for the time being" solution and may not prove to be the best solution, it is always better to apply proper standard during the development stage itself. > http://www.owasp.org/index.php/Guide_to_SQL_Injection David >>That guide is at best misleading, and at worst an actual attack. If I were an attacker, I'd *love* for people to imagine that if they just picked some magical tool--probably one I had a hand in making--that they'd just be safe. David >>I'll be editing this for reality as soon as I get permission :) The guide is meant for starters on SQL injection showing the basic manual methods on how a proper SQL injection can be performed, this then can be put into any other method the attacker wishes too.. such as the one David suggested above so its not that bad actually :) especially for kiddies like me :) hehe... The content could be improved tho on the "Avoiding" part with better explanation i guess. I hjope David can amend it soon :) Regards Ray Another Security Kiddie sharing my 2 cents...
_______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
