Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create 269-knowledge_base-knowledge_base--type_checking_and_length_ch…
…ecking--.md
- Loading branch information
Showing
1 changed file
with
22 additions
and
0 deletions.
There are no files selected for viewing
22 changes: 22 additions & 0 deletions
22
..._base/269-knowledge_base-knowledge_base--type_checking_and_length_checking--.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
## Description | ||
|
||
Type checking, length checking and whitelisting is an essential in defense in depth strategie to make | ||
your application more resiliant against input injection attacks. | ||
|
||
Example: | ||
``` | ||
SELECT * FROM pages WHERE id=mysql_real_escape_string($_GET['id']) | ||
``` | ||
|
||
This PHP example did effectively not mitigate the SQL injection. This was due to the fact | ||
that it only escaped string based SQL injection. | ||
|
||
Now, if this application also had additional checks to validate if the value of | ||
the $_GET['id'] parameter was indeed as expected an integer and rejected if this condition was false, | ||
the attack would effectively been mitigated. | ||
|
||
|
||
## Solution | ||
|
||
All the user supplied input that works outside of the intended opteration of the application | ||
should be rejected by the application. |