Re: [SECURITY] DoS attack on backend possible

Weimer(at)CERT(dot)Uni-Stuttgart(dot)DE (Florian Weimer) wrote
> Alvar Freude <alvar(at)a-blast(dot)org> writes:
>
>>> What about checking the input for backslash, quote,
>>> and double quote (\'")? If you are not taking care of those in
>>> input then crashing the backend is going to be the least of your
>>> worries.
>>
>> with Perl and *using placeholders and bind values*, the application
>> developer has not to worry about this. So, usually I don't check the
>> values in my applications (e.g. if only values between 1 and 5 are
>> allowed and under normal circumstances only these are possible), it's
>> the task of the database (check constraint).
>
> That's the idea. It's the job of the database to guarantee data
> integrety.
>
> Obviously, the PostgreSQL developers disagree. If I've got to do all
> checking in the application anyway, I can almost use MySQL
> instead. ;-)
>

perhaps I did not express myself very well.
if you are going to be passing any user input to the database, you
must/should validate in some manner before blindly passing it to the db.
The db can and should guarantee data integrity, but the database cannot
read your mind when it comes to how you structure your queries.

$input = "user'name";
INSERT INTO db (name) VALUES ('$input');

will fail because the ' in the input needs to be escaped with a
backslash. at some point this has to happen, because

INSERT INTO db (name) VALUES ('user'name');

is not a valid query.

The other thing is i think you are stretching the "db integrity
checking" argument a little too far. Its the db's responsibility to make
sure only valid data is stored, but its not the db's responsibility to
directly interact with your end users -- this is the job of your
application and interface. If you insert a new record and there is a
constraint violation, how is your application supposed to know what
illegal value(s) is/are causing it? How are you supposed to convey the
proper information to your user to get the input you are looking for?

Besides all that, and i dont mean to insult you, but your just plain
stupid if you blindly pass user inputted data to your db. For that
matter, your stupid if you blindly accept user input in any programming
without checking it at some level.