mailing list archives
On-the-fly SQL query creation
From: "Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com>
Date: Wed, 12 May 2004 11:46:12 -0400
Sql Injection, Access to OS though DB stored procedures/functions, data modification/lost, low performance.
From critical security issues through performance problems and finally a bad programming practice, all this can be
on-the-fly SQL query creation.
Currently, I'm working in a little paper about this, and I'd like to hear your experiences in Pentesting, Vulnerability
Assessment, or simply code you have at hand related to this "bad programming" practice.
It has many implications, this is, you may thing that if you use PreparedStatements for Java (other similar for other
languages) using placeholders and parameter objects (also called that way in ASP.NET) shouldn't have any problem after
all, or if you validate your inputs (in other languages like php/perl) you are safe, but is that it?
Other different technologies that use query languages like LDAP or MQL are not in the scope of this paper, for now.
I'll highly appreciate any feedback, BTW when finished this little paper will be published in this lists for your
- On-the-fly SQL query creation Calderon, Juan Carlos (GE Commercial Finance, NonGE) (May 12)