Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: tips to secure a web application

RE: tips to secure a web application

From: Andy Gordon <adg_at_microsoft.com>
Date: Fri, 20 Feb 2004 10:38:19 -0000

> From: .Saphyr [mailto:saphyr_at_infomaniak.ch]
> Sent: 20 February 2004 02:36
> To: webappsec_at_securityfocus.com
> Subject: Re: tips to secure a web application
> You do not have fewer risks by using jdbc support for
> database communication. SQL injection flaws are related to an
> upper layer:
> the sql language, as jdbc only gives you a wrapper to access
> many database providers (sql 2000, oracle, odbc, ...).
>
> You can however mitigate a lot the sql/command injection
> flaws by using the prepared statements classes (precompiled
> sql requests on which only parameters are added at runtime)
> with jdbc.
>
> For more information , just google 'java prepared statements'.

Are there any libraries for constructing queries from untrusted inputs
such as parameters to web apps, that send text-based SQL to the
database, and that automatically filter the input (eg using regexps) to
prevent SQL injection attacks? In particular, do these prepared
statement libraries filter out inputs that include quotes and other
nasties, by default?

Andy
Received on Feb 20 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos