Hi Lester, On Tue, Sep 5, 2017 at 8:36 PM, Lester Caine <les...@lsces.co.uk> wrote:
> On 05/09/17 12:18, Yasuo Ohgaki wrote: > > I cannot guess people's thought. I appreciated feedback! > > With a decent database layer a lot of the validation you are proposing > is already covered but PDO does not help in this area. Adding another > layer that does not integrate with a storage layer is just adding to the > current mess ... > I'm fun of multiple tier and multiple layer of protections. For instance, Microsoft's SQL injection security page states as follows. - Never build Transact-SQL statements directly from user input; use stored procedures to validate user input. - Validate user input by testing type, length, format, and range. Use the Transact-SQL QUOTENAME() function to escape system names or the REPLACE() function to escape any character in a string. - Implement multiple layers of validation in each tier of your application. https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/writing-secure-dynamic-sql-in-sql-server This is what secure coding practice recommends, too. It may seem mess, but it's not. Outermost trust boundary that can be controlled is the most important trust boundary. For server side web app developers, outermost trust boundary is controller in MVC model. Input validations at model is a bit too late to mitigate risks involved with invalid(attacker) inputs. Both model and controller layer Input validations (as well as in the database, too) are good/important to have. There are one principle that developers are better to follow. https://en.wikipedia.org/wiki/Fail-fast If we follow this principle, validation at controller makes sense. Regards, P.S. For database administrators or web app developers who maintain application Models, outermost trust boundary is "database system" and "the Model layer" respectively. Outermost trust boundary is changed by what they can control. This kind of discussion could result in mess. I hope I explained well enough. -- Yasuo Ohgaki yohg...@ohgaki.net
