<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

WebApp Sec: Re: Strange beaviour in sql injection

Re: Strange beaviour in sql injection

From: Kevin Spett <kspett_at_spidynamics.com>
Date: Tue, 29 Oct 2002 10:34:47 -0500

I think Dennis's explanation of the situation is probably accurate as far as
what's happening.

> So, can we desume that the previous dogmas for securing a web application
> replacing quotes and checking if a value is numeric are not enough?

Yes, the best way to protect against SQL injection is to program using
stored procedures, commands objects (in the case of ADO) and prepared
statements (for JDBC). More info coming, stay tuned.

Kevin Spett
SPI Labs
http://www.spidynamics.com/
Received on Oct 29 2002

This message: [ Message body ]
Next message: Shields, Larry: "RE: cgi to update a datable table"
Previous message: Blake Frantz: "RE: cgi to update a datable table"
In reply to: Securityinfos: "Strange beaviour in sql injection"
Next in thread: Brass, Phil (ISS Atlanta): "RE: Strange beaviour in sql injection"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos