Home page logo

webappsec logo WebApp Sec mailing list archives

On-the-fly SQL query creation
From: "Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com>
Date: Wed, 12 May 2004 11:46:12 -0400

Sql Injection, Access to OS though DB stored procedures/functions, data modification/lost, low performance.

From critical security issues through performance problems and finally a bad programming practice, all this can be 
on-the-fly SQL query creation.

Currently, I'm working in a little paper about this, and I'd like to hear your experiences in Pentesting, Vulnerability 
Assessment, or simply code you have at hand related to this "bad programming" practice.

It has many implications, this is, you may thing that if you use PreparedStatements for Java (other similar for other 
languages) using placeholders and parameter objects (also called that way in ASP.NET) shouldn't have any problem after 
all, or if you validate your inputs (in other languages like php/perl) you are safe, but is that it? 

Other different technologies that use query languages like LDAP or MQL are not in the scope of this paper, for now.

I'll highly appreciate any feedback, BTW when finished this little paper will be published in this lists for your 


  By Date           By Thread  

Current thread:
  • On-the-fly SQL query creation Calderon, Juan Carlos (GE Commercial Finance, NonGE) (May 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]