Re: SQL Injection Prevention
From: Valery Pryamikov (Valery_at_nospam.harper.no)
Date: 09/28/04
- Next message: Steve Kass: "Re: SQL Injection Prevention"
- Previous message: Nigel Rivett: "Re: SQL Injection Prevention"
- In reply to: Nigel Rivett: "Re: SQL Injection Prevention"
- Next in thread: Valery Pryamikov: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Sep 2004 17:28:24 +0200
Again, we aren't talking good programming practices here, we are just
talking about SQL injection vulnurability. and as long as possibility exists
we have to account for it.
-Valery.
http://www.harper.no/valery
"Nigel Rivett" <sqlnr@hotmail.com> wrote in message
news:A4E3EE76-C1ED-4FE5-A511-253DE56D4D2A@microsoft.com...
> Just noticed you said
>>> in Oracle you have possibility to
> Missed "possibility" on first reading. Sure you can do that in a stored
> procedure but it would be a last resort and you would be very careful
> about
> the way you implemented it and what had access to it.
>
> You would need to compare that against someone building an sql statement
> to
> execute the parameterised query which I guess would have the same
> vulnerability.
>
- Next message: Steve Kass: "Re: SQL Injection Prevention"
- Previous message: Nigel Rivett: "Re: SQL Injection Prevention"
- In reply to: Nigel Rivett: "Re: SQL Injection Prevention"
- Next in thread: Valery Pryamikov: "Re: SQL Injection Prevention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
