One highly respected me Mr Dan Kaminsky (Dan Kaminsky - known for his discovery of the fundamental vulnerability in DNS) proposed a very interesting technique universal protection against SQL injection and XSS.
The method is very simple and of genius.
The essence of art is reduced to the substitution in SQL-query all data in base64-representation and thus does not make sense to use some or parsers / analyzers used in SQL-query data (placeholders, etc.)
All this can be roughly described line type:
«SELECT * from mytable where textfield = base64_decode ('Q29vbEhhY2tlcnM =')»
where base64_decode - function of decoding base64, relalizuemaya particular database.
In the absence of the user base64 special characters and therefore no threat to our request made to him by the data will not be. No need to somehow escape or change the input. Suffice it to base64 encode it and send in the request.
Technique is also applicable on the client side - if you need to remove the data in quotes eg in the event handler or in the js. Razkodirovka of base64 can be performed directly in the js is necessary to obtain the original data.
From my point of view, the method is a genius. Deficiencies (in my opinion) the two - an increase of memory for variables stored in this way will be 30% (feature base-64 encoding), as well as increasing the load on the server because of the need to code input parameters (I think that can be ignored), and the load on the server DB because of the need razkodirvaniya (but I think this neglect will not work).
However, to be exact - to do experiments, and perhaps among habrapolzovateley have knowledgeable people ready to share their opinions on this?
The method is very simple and of genius.
The essence of art is reduced to the substitution in SQL-query all data in base64-representation and thus does not make sense to use some or parsers / analyzers used in SQL-query data (placeholders, etc.)
All this can be roughly described line type:
«SELECT * from mytable where textfield = base64_decode ('Q29vbEhhY2tlcnM =')»
where base64_decode - function of decoding base64, relalizuemaya particular database.
In the absence of the user base64 special characters and therefore no threat to our request made to him by the data will not be. No need to somehow escape or change the input. Suffice it to base64 encode it and send in the request.
Technique is also applicable on the client side - if you need to remove the data in quotes eg in the event handler or in the js. Razkodirovka of base64 can be performed directly in the js is necessary to obtain the original data.
From my point of view, the method is a genius. Deficiencies (in my opinion) the two - an increase of memory for variables stored in this way will be 30% (feature base-64 encoding), as well as increasing the load on the server because of the need to code input parameters (I think that can be ignored), and the load on the server DB because of the need razkodirvaniya (but I think this neglect will not work).
However, to be exact - to do experiments, and perhaps among habrapolzovateley have knowledgeable people ready to share their opinions on this?
No comments:
Post a Comment