|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Paper: SQL Injection Attacks by Example
From: Cory Foy (Cory.Foy
mobilehwy.com)
Date: Wed Jan 05 2005 - 14:56:28 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Scovetta, Michael V wrote:
> At least in MSSQL, you'd have to do something bad like use sp_executesql
> or some other function that will re-form a complete sql query and pass
> that to the interpreter. As long as you do more sensible stuff like:
>
> insert into table (name, age) values (b, a)
>
> you should be fine.
Except that I've seen webbie-type people who will execute a stored proc
by doing:
strSQL = "exec userLogin " + userName + " " + userPassword
which would be still be subject to a SQL Injection attack if I simply
had a semicolon in the userPassword and then was able to pass any other
query to it.
Cory
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]