- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 19 Nov 2013 13:12:02 +1100
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
On 19/11/2013, at 4:46 AM, Julian Reschke <julian.reschke@gmx.de> wrote: >> Section 9.3: You may want to include information that informs >> developers and users of SQL injection attacks. Fields are still >> included in some URIs that link you to pages directly that contain >> personal information using consistent identifiers. It would be helpful >> as this is still one of the biggest attack vectors. A quick search on >> SQL injection URL will provide additional information for inclusion in >> the write up. You mention GET-based forms in section 9.3, but it >> doesn't mention SQL injection attacks and information in the URIs. Since >> this is so prevalent still, I think it is important to call out explicitly. > > Not convinced. From an HTTP point of view, URIs are just opaque identifiers. Also, there are many kinds of injection attacks. Should we list them all (XML, javascript...)? +1 - SQL doesn't have anything to do with HTTP, and even though it is used often in conjunction with the protocol, it's an implementation-specific choice. For example, I don't use any SQL on my Web site, and am very happy about that :) Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 19 November 2013 02:12:25 UTC