In the next installment of my security series, I’ll tackle SQL injection. In the true code reuse fashion, I’ll provide a couple links that do a great job of explaining some misconceptions about SQL injection and how to protect your application.
First here’s a link to a post on Glen Gordon’s blog about injection: http://blogs.msdn.com/glengordon/archive/2008/04/15/some-sql-injection-attack-misperceptions-and-reality.aspx. Glen includes a nice list of common mistakes when thinking about preventing injection attacks.
Next is a link from the MSDN magazine showing how to stop injection attacks: http://msdn2.microsoft.com/en-us/magazine/cc163917.aspx
I know this was a lazy post, but cut me some slack. I’ve got a 2 month old baby and a new PS3. 
Cross site scripting can be a tough vulnerability to eliminate, but it doesn’t necessarily have to be. If you’re working on an ASP.NET project, the Microsoft Anti-XSS library is easy to use and freely available. Like a lot of developers, I’ve rolled my own anti-XSS by escaping specific characters, but it’s usually clunky and let’s face it. There are still bound to be vulnerabilities. The MS library can be used to encode HTML, HTML attributes, JavaScript, VBScript, as well as encode for XML and XML attributes.
Always encode data from untrusted inputs. Just a few examples include:
- Databases
- Form fields
- Session variables
- Query string
- Cookies
Using the library is very simple. Just add a reference to the dll to your project, and you’re ready to go. Here’s a quick and dirty code example encoding a value from the query string:
string Name = AntiXss.HtmlEncode(Request.QueryString["Name"]);
A good rule to live by is “When in doubt. Encode it.” Just don’t encode it twice.
You can download the library from Microsoft here.
Well my highly publicized conversion to Linux is sort of over. I’ve still got Ubuntu installed on my secondary notebook, but I went back to WinXP on my primary notebook. There are some things I want to do, and it’s just a whole lot easier to use Windows (primarily work with videos of my daughter I’ve taken using my camcorder). This doesn’t mean that I didn’t like Unbuntu. I actually really liked it, but it just wasn’t practical for my needs. I’ll still use it, but just not as much.