Re: Solving the ' issue

From: Eric Sabine (mopar41_at_hyottmail.com)
Date: 12/05/03 

Date: Fri, 5 Dec 2003 12:40:15 -0500

Follow the link I provided. You'll find useful information on injection.

> Also, if you bothered to read my question I was wondering what I could do
> on the SQL server side to prevent anything bad like '; DELETE FROM ...
> being inserted/injected.

How about start with using appropriate NT/SQL permissions.

> The issue is not really what language you use on the scripting side, this
> is certainly a SQL issue.

Wrong attitude towards programming. All client access to a database should
be restricted to stored procedures. Test for bad input in the sproc. On
the client side, test for bad input there too. Why waste the time on a
round trip to the server if you can validate injection SQL up front.

> It's nice to see usenet holds up to it's standard, makes me remember why
> I stopped using it.

Most likely has more to do with your bad attitude. Seems like your boss new
exactly what to do with you by giving you this fun Find-And-Replace project.

"PL" <pblse2@yahoo.se> wrote in message
news:uuPSYP1uDHA.1088@tk2msftngp13.phx.gbl...
>
> It's an sql issue because it's a stupid issue to begin with, why it's
never fixed
> I don't know.
>
> Also, if you bothered to read my question I was wondering what I could do
> on the SQL server side to prevent anything bad like '; DELETE FROM ...
> being inserted/injected.
>
> The issue is not really what language you use on the scripting side, this
> is certainly a SQL issue.
>
> It's nice to see usenet holds up to it's standard, makes me remember why
> I stopped using it.
>
> PL.
>
>
> "Eric Sabine" <mopar41@hyottmail.com> skrev i meddelandet
news:e5qGo%230uDHA.2244@TK2MSFTNGP09.phx.gbl...
> > Is this a SQL Server issue? I ask because you use the & (AND) operator,
not
> > +. If you're trying to prevent something like SQL Injection, you'll
have to
> > rewrite code to trap injection.
> > http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3
> >
> > is this what you're asking about?
> >
> > Eric
>
>

Relevant Pages

  • Official release of SQL Power Injector 1.2
    ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
    (Bugtraq)
  • Official release of SQL Power Injector 1.2
    ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
    (Pen-Test)
  • Official release of SQL Power Injector 1.2
    ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
    (Security-Basics)
  • Official release of SQL Power Injector 1.1
    ... I have the pleasure to announce that a new version of SQL Power Injector is now officially available on my web site: ... For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal ... Response of the SQL injection in a customized browser ...
    (Pen-Test)
  • [Full-disclosure] OTRS 1.x/2.x Multiple Security Issues
    ... OTRS, the Open Source Ticket Request System, is a trouble ... ranging from cross site scripting to SQL injection. ... A malicious user may be able to conduct blind SQL code ... an attacker may be able to exploit this issue. ...
    (Full-Disclosure)
Quantcast