WebApp Sec mailing list archives
Re: Strange beaviour in sql injection
From: "Kevin Spett" <kspett () spidynamics com>
Date: Tue, 29 Oct 2002 10:34:47 -0500
I think Dennis's explanation of the situation is probably accurate as far as what's happening.
So, can we desume that the previous dogmas for securing a web application replacing quotes and checking if a value is numeric are not enough?
Yes, the best way to protect against SQL injection is to program using stored procedures, commands objects (in the case of ADO) and prepared statements (for JDBC). More info coming, stay tuned. Kevin Spett SPI Labs http://www.spidynamics.com/
Current thread:
- Strange beaviour in sql injection Securityinfos (Oct 29)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)
- Re: Strange beaviour in sql injection Mariusz Pekala (Nov 30)
- Re: Strange beaviour in sql injection Kevin Spett (Oct 29)
- <Possible follow-ups>
- RE: Strange beaviour in sql injection Brass, Phil (ISS Atlanta) (Oct 30)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)