|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Database Encryption -- Sql Injection
From: Dave Bergert (dbergert
nobel-net.com)
Date: Mon Apr 21 2003 - 20:31:48 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Does any one have any comments on where best to incorporate Column level
encryption in a Database field? At the Database Server level (via a
User Defined Function) or at the Application Level. Which would be less
impervious to SQL Injection?
I am on a MS-SQL 2000 and IIS Platform.
If I had a User Defined Function for example:
Select decrypt(AccountNumber, "key") from tblTable where User =
'someuser'
If SQL Injection occurs:
Select decrypt(AccountNumber, "key") from tblTable where User =
'someuser' or 1=1
In this case if SQL injection occurs the encrypted field will be
automatically decrypted by the UDF... Showing all accountNumbers...
If I had the Decryption handled at the Application:
Select encryptedAccountNumber from tblTable where User = 'someuser'
And had the application call:
AccountNumber = DecryptFunction (ResultSet ("encryptedAccountNumber" ),
"key")
If SQL Injection occurs, the only way data could be seen if through
whatever mechanism the application displays the AccountNumber
(Are these scenarios identical ?)
I know that encryption is not a substitution for good input sanity
validation.
Which method would be better to implement?
Thanks for comments.
Regards,
Dave Bergert
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]