Versions Compared

Old Version 1

changes.mady.by.user Matthias Rohr

Saved on

compared with

New Version 2

changes.mady.by.user Matthias Rohr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

  1. Every access to backend systems such as databases MUST be parameterized7parameterized[1], e.g. via
    prepared statements, OR mappers (e.g. Hibernate) when an API for this matter do does exist.

  2. All parameters, either internally or user-controlled, MUST be declared as parameters within
    a prepared statement (or similar API) call.

  3. In case an API does not provide any methods for parameterized statements, parameters
    MUST be encoded with suitable APIs (e.g. SQL encoding) to prevent interpreter injection.

  4. User-controlled parameters MUST be encoded with a suitable API and method related to
    its output context if written to an HTML page:a)

    1. HTML Context: HTML entity encoding

    b)

    1. JavaScript Context: JavaScript escaping

    c)

    1. CSS Context: CSS escaping

  5. Output encoding SHOULD only be implemented with mature APIs and frameworks.

  6. Implicit validation (e.g. via ORM frameworks or template technologies) SHOULD be
    preferred to explicit validation (API calls).

...

[1] Each parameter needs to be defined explicitly as a parameter (e.g. with a setParam() statement) or indirectly by a framework.