Web Application Security
Database Encryption -- Sql Injection Apr 22 2003 01:31AM
Dave Bergert (dbergert nobel-net com)
Does any one have any comments on where best to incorporate Column level
encryption in a Database field? At the Database Server level (via a
User Defined Function) or at the Application Level. Which would be less
impervious to SQL Injection?

I am on a MS-SQL 2000 and IIS Platform.

If I had a User Defined Function for example:
Select decrypt(AccountNumber, "key") from tblTable where User =
'someuser'

If SQL Injection occurs:
Select decrypt(AccountNumber, "key") from tblTable where User =
'someuser' or 1=1

In this case if SQL injection occurs the encrypted field will be
automatically decrypted by the UDF... Showing all accountNumbers...

If I had the Decryption handled at the Application:
Select encryptedAccountNumber from tblTable where User = 'someuser'

And had the application call:
AccountNumber = DecryptFunction (ResultSet ("encryptedAccountNumber" ),
"key")

If SQL Injection occurs, the only way data could be seen if through
whatever mechanism the application displays the AccountNumber

(Are these scenarios identical ?)

I know that encryption is not a substitution for good input sanity
validation.
Which method would be better to implement?
Thanks for comments.

Regards,
Dave Bergert

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus