After my dissertation, on methods and tools for testing SOAP Based Web Services, I have been giving a lot of thought to SQL injection attacks obviously coming from a web application development background that is one of my pet peeves.

I have often used a recycled function to sanitise inputs from users before any database interaction is opened up and this has served me really well. It however only dawned on me, when it would be advisable to use this sanitation methods. For example when you need to register a user obviously you will need to sanitise inputs that will be stored in the database as plain text  such as user names, email addresses and the like (unless you’re uber paranoid where you will decide to [reversibly] encrypt all entries to the database), then you should not even be reading this post .

For simpletons like me however I have realised that is is not necessary to sanitise for SQL injections when storing passwords because I NEVER store passwords in plain text anyway. The necessity is removed because after the salt is retrieved from the hash (regardless of what algotrythm SHAx MDx Blowfish etc) the text is in no way close to what the plain text looks like so it would be a waste of time trying to do this.

Kudos to those who had already come to this realisation. It took me a while but I finally got there.

Tags: