I understand the benefits of cleaning all data and quoting data, etc, but I'm wondering if http allows for a situation where a subdomain could have the right chars for SQL injection.
+3
A:
You mean like http://%27%3B%20delete%20table%20users%3B%20commit%3B.example.com?
I'm guessing you have a wildcard DNS entry and are taking the subdomain as a form of input. If so, then yes, it's user-generated input and you have to be as suspicious of it as anything else. Even if none of us here on SO can come up with a real example for this question, that doesn't mean someone much more determined who spends more time on it couldn't come up with one.
Is there an argument against escaping/processing/checking the subdomain name?
T.J. Crowder
2010-03-11 07:55:53
+2
A:
You shouldn't "clean" or quote your data to avoid SQL injection. You should use query parameters.
Mark Byers
2010-03-11 07:58:00
...which is a way of cleaning/quoting your data. Sometimes you have to do it other ways, depending on your DB connector technology and such.
T.J. Crowder
2010-03-11 08:01:42
@TJCrowder: I wouldn't say parameters is a way of cleaning or quoting. I'd say it's a way to not need to clean or quote.
John Saunders
2010-03-11 08:16:40
@John I'm using an ORM that does all the security stuff for me so I can afford to be ignorant anyhow, but I was just curious.
orokusaki
2010-03-11 16:59:19
@Mark +1 for the unicorn. P.S. Your website has a proxy issue ("Bad Gateway Error").
orokusaki
2010-03-11 17:38:38