Preventing Code Injection
To prevent code injection problems, utilize secure input and output handling, such as:
- Input validation
- Selective input inclusion/exclusion
- Escaping dangerous characters. For instance, in PHP, using the
htmlspecialchars
function (converts HTML tags to their ISO-8859-1 equivalents) and/orstrip_tags
function (completely removes HTML tags) for safe output of text in HTML, andmysql_real_escape_string
to isolate data which will be included in an SQL request, to protect against SQL Injection. - Input encoding
- Output encoding
- Other coding practices which are not prone to code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound variables" or "bound values").
- Modular shell disassociation from kernel
The solutions listed above deal primarily with web-based injection of HTML or script code into a server-side application. Other approaches need to be taken however, when you are dealing with injection of user code on the user machine, resulting in privilege elevation attacks. Some approaches that are used to detect and isolate managed and unmanaged code injections are:
- Runtime image hash validation - capture a hash of a part or complete image of the executable loaded into memory, and compare it with stored and expected hash.
- NX bit - all user data is stored in a special memory sections that are marked as non-executable. The processor is made aware that no code exists in that part of memory, and refuses to execute anything found in there.
Read more about this topic: Code Injection
Famous quotes containing the words preventing and/or code:
“After the earthquake, which had destroyed three-quarters of Lisbon, the countrys wise men had found no more efficacious means of preventing total ruin than to give the people a fine auto-da-fé.”
—Voltaire [François Marie Arouet] (16941778)
“Acknowledge your will and speak to us all, This alone is what I will to be! Hang your own penal code up above you: we want to be its enforcers!”
—Friedrich Nietzsche (18441900)