Thursday, October 19, 2006

XSS & SQL Inject solution

In a post (that I did not read completely through) on Tom Moertel's Weblog a solution for Cross-Site Scripting and SQL Injection vulnerabilities is discussed.

The idea is simple and I'm surpised it's not found in more places. He basically suggests that the type String is not good enough and that there are actually several sub-types of strings. These sub-types might include XML, SQL, and so on.

So the solution is to have a SqlString hold SQL text and a UserDataString hold user data. When these strings are combined the language could either take care of the proper escaping/conversion between string types or could throw a compile-time error about mis-matched string types.

I think in a language like C# you could create String classes that overload the Plus(+) operator and other String methods (e.g. ToString). However, I am a little stumped on type conversion/escaping of strings. It seems to me that each new String Type would have to know how to convert to each of the other String Types. But maybe that's just how it is. We use the Convert class for the same sort of thing for other types.

Any thoughts on this solution? How would this be implemented in a language like PHP or other loosely type language.

No comments:

Post a Comment