Validating database

25 Dec

The type of integrity control (checksum, HMAC, encryption, digital signature) should be directly related to the risk of the data transiting the trust boundary. However, validation should be performed as per the function of the server executing the code.Say you want to set up a site where users can upload arbitrary files so they can share them or download them again from another location.In this case validation is impossible because there is no valid or invalid content.It can take upwards of 90 regular expressions (see the CSS Cheat Sheet in the Development Guide 2.0) to eliminate known malicious software, and each regex needs to be run over every field. Just rejecting "current known bad" (which is at the time of writing hundreds of strings and literally millions of combinations) is insufficient if the input is a string.This strategy is directly akin to anti-virus pattern updates.

For example, the web / presentation tier should validate for web related issues, persistence layers should validate for persistence issues such as SQL / HQL injection, directory lookups should check for LDAP injection, and so on.

Business rules are known during design, and they influence implementation.

To ensure that the application is robust against all forms of input data, whether obtained from the user, infrastructure, external entities or database systems. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows.