Interstell, Inc.

Security, Application Security, and Software Research

Can’t Use Whitelists for your Java Web App? Don’t Abandon Hope!

We all know protecting input is important. A few posts ago, I talked about one option: using whitelists. Implementing a whitelist means you only allow a certain (generally small) set of character into your input fields. I pointed out that they’re great for web applications that are very, very focused in their functionality, like a financial application. What if your application isn’t so simple or focused? What if you have […]

Continue Reading →

Protecting Input: Don’t Allow SQL Injection, PHP and SQL Server Style!

My last post talked about using parameterized queries to guard against SQL Injection for a specific environment: MySQL databases within the context of a PHP application. Those applications ran under Apache, which was running under Linux. The MySQL database also ran under Linux. You probably already know that this collection of technology is named Linux Apache MySQL PHP — LAMP for short. This is a common configuration for cloud providers, and […]

Continue Reading →

Protecting Input: Don’t Allow SQL Injection, LAMP Style!

Introduction In my last post, I facetiously said that the problem with databases is that they do what we tell them to. Then I introduced you to SQL Injection and demonstrated how to protect yourself against it if you’re running a Java application (for example, under Apache Tomcat 8.0.39). That technique relied on JDBC and parameterized SQL queries, which means we rely on a mechanism between Java and the database engine itself […]

Continue Reading →

Protecting Input: Don’t Allow SQL Injection, Java Style!

Introduction The problem with databases is that they do what we tell them to. Really, that’s so annoying sometimes! Does that sound like an irrational statement? Unfortunately, it’s not, and that’s because there are malicious folks in the world who would like nothing better than to either steal your data or ruin it. And it’s all because databases will happily execute any legal command you give them — even it […]

Continue Reading →

Protecting Input: Implementing Whitelists in PHP

Introduction In my last post, I talked about implementing whitelists in Java. We finally got to see some actual code! Not actual cannibal SHIA LABEOUF level stuff, but kinda cool nonetheless. As promised, in this post, I’ll show you how to implement the same whitelist with the same philosophical underpinnings in PHP. But first… Why do we care about whitelisting again? Yeah, we all know sanitizing input’s a good idea. It’s become a […]

Continue Reading →