- Never trust the user!
- Validate all input coming from a user. This includes any part of an HTTP request that you're processing: the header names and values, the cookie names and values, the querysting parameters, web form values, and any other data included in the message body.
- Always use whilelist input validation to test input; that is, test whether an input does match an expected good format and reject it if it doesn't. Avoid blacklist input validation; that is, testing whether an input matches an expected bad format and rejecting it if it does.
- Never perform validation just on client side - an attacker can easily bypass these controls. Always validate on the server side.
- Use regular expressions for more complicated validation logic like testing e-mail addresses. Unless you're a regex expert, also consider using regex from one of the public databases such as regexlib.com or a commercial regex development tool such as Regex Buddy.
- If you can afford the performance hit, validate input both as it comes into your application and again immediately before you use it. But if you can only do it one place. do it immediately before use.
When doing Audit on any table on the the database , the default auditing is DB. SQL > show parameters audit_trail NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_trail string DB in this case , when you do audit on some table. SQL> audit all on scott.emp by access; Audit succeeded SQL> update emp set sal=sal*0.95 where job='MANAGER'; 3 rows updated. if you want to know the statement made these changes, you will receive nothing on the sql_text field while you are selecting the audit_trial table.
Comments
Post a Comment