I have to admit you are right, next time i will read recommandations fully... Sorry for annoyance with SQL escaping.
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html BTW it would be interesting to allow developper to advise a service considering only its interface and not the way the services is implemented. Be sure I don't mind looking at the source code, because it makes me learn a lot, but IMHO this kind of developper consideration is important to be taken into account. 2010/1/7 Thiago H. de Paula Figueiredo <thiag...@gmail.com> > Em Thu, 07 Jan 2010 11:36:27 -0200, Andreas Andreou <andy...@di.uoa.gr> > escreveu: > > > I'm not aware what the OWASP recommandations are. When 2 layers serve >> different goals and one of them is vulnerable, it doesn't make sense to >> protect the other one - that other layer wouldn't even know what to protect >> against since it could interoperate with any kind of back-end. >> > > I guess the recommendations are that one layer cannot take for granted that > the other has done all the needed validations. In other words, each layer > must do the validations related to the input it takes. Andreas is right when > it says that one layer needn't protect another layer, specially because one > doesn't even know how the other is implemented. > > -- > Thiago H. de Paula Figueiredo > Independent Java, Apache Tapestry 5 and Hibernate consultant, developer, > and instructor > Owner, software architect and developer, Ars Machina Tecnologia da > Informação Ltda. > http://www.arsmachina.com.br > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > >
