|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Florian Specker (specker
ICU.UNIZH.CH)Date: Wed Feb 07 2001 - 18:38:25 CST
> Since I'm an SQL newbie, I'd be curious to know how someone could supply
> the appropriate input to do bad things on the SQL server - either in R/O or
> R/W mode
well, i didn't dive too deeply into this subject, but afaik, as long as
the user-input is just Strings that get escaped, there shouldn't be a
problem (correct me if i'm wrong). But if user-input gets written into
an INT-field (or any other data type that does not require those "'"),
you're in trouble if you write without server-side checking... imagine a
HTML-form containing only integer values, in combination with a query
like:
SELECT Name FROM Users WHERE ID = <user_input> ORDER BY Name
no problem if <user_input> is really integer... but what about
5; DROP TABLE SomeOtherTable; SELECT Name FROM Users WHERE ID = 5
? Hope you've got a backup :)
cheers, florian
--
Florian Specker, speckericu.unizh.ch
-------------------------------------------------------
Ich brauche keine Lebensversicherung. Ich möchte,
dass alle richtig traurig sind, wenn ich einmal sterbe.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]