Your password is a potentially dangerous

By Kenneth Graf (Intel) (6 posts) on June 19, 2008 at 2:59 pm

It has been awhile since I last blogged and my general password had changed, imagine my surprise when I login on to blog and received this error message.  A potentially dangerous Request.Form value was detected from the client (_ctl1:txtPassword="...*...."). Well, surprised really is not the right word.  I understand that some application developer listened to some webinar where some vendor’s security expert breathlessly told everyone listening they would lose millions of dollars if they didn’t stop SQL injections.  Oy!

 

What I am surprised about is the number of “security experts” that profess the way to stop SQL injections is to prevent the user from using characters like *, “, ‘, and #.  It seems to me not using SQL in the first place is the best way for an application to stop SQL injections.   Using a web service or SAML would eliminate the need for ODBC calls and the required SQL injection screening.

 

For those that think SSL answers all security problems.  There was a nice long debate on using usernames and passwords with SSL on http://webappsec.org/lists/websecurity/

 

Personally, I think it time security experts to stop spreading the misperception that all problems can be solved with a network device and time for application developers to step up and use the right not just the easiest security solution.

Categories: Software Engineering, XML Software

Comments (1)

July 3, 2008 8:05 AM PDT

lakshmanansubramanian
lakshmanansubramanianTotal Points:
10
Registered User
 Agree and i face the same problem and advice SAML this would eliminate the sequel calls.

Trackbacks (0)


Leave a comment  

To obtain technical support, please go to Software Support.
Name (required)*

Email (required; will not be displayed on this page)*

Your URL (optional)


Comment*