Bob Barrows [MVP]
11/13/2008 2:31:00 AM
MikeR wrote:
>
> What's your take on the need to sanitize the input before sending it
> to the query? I got mixed signals from those papers.
It's mildly controversial. Some people take the stand that since sql
injection is impossible given the use of parameters, then in-depth
sanitation, beyond the obvious task of preventing errors by making sure the
supplied data is of the proper datatypes is nothing but a waste of time.
My thinking is that security should consist of several layers, the first
being to validate the data to make sure it does not contain attempts to
breach your security. True, validation is not 100% secure, so the fall-back
layer is the use of parameters rather than dynamic sql. Some people
recommend inconveniencing the hacker when detected: for example, redirecting
him to a page that looks like what he would get if his hack was successful,
but displaying a perpetual progress bar so that his time is wasted. At the
very least, detected attempts should be logged so you are alerted about
them.
--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"