Eliminating SQL Injection...

posted on Saturday, July 10, 2004 8:06 PM

Read on Stefan Demetz's blog about a movement afoot to lobby Microsoft to change how textboxes allow passed in data. See here for the comment. Sorry but I think this is a plain awful idea and is very reminiscent of the horrible RequestValidationnonsense introduced in .NET 1.1. I am in favour of a simple method of encrypting and validating QueryString input such as presented here (apart from the fact that it used 3DES - DO NOT DO THIS! 3DES is MUCH slower and not as secure as AES). So what's my problem with changing the default behaviour of input controls? Simple, three things:

1. If it happens, this will likely be implemented in such a way that it breaks exisitng applications (this also happened with 1.1 and as a result there's still a few apps still running 1.0 out there).
2. If it is done it would have to be totally bulletproof, otherwise every app would rely on a single security mechanism - which is so NOT a good idea!
3. Abdication of responsibility by developers, if this were done so it had to be explicitly enabled either at web.config or in page level, I would be much happier. Put simply I prefer developers know what's happening in their code and therefore are more likely to be aware of any issues surrounding it.

Oh, and Microsoft, if you do do this, don't do it like Viewstate where you hardcode 3DES encryption with no way of replacing your implementation, at least make it a Provider!