From: "spi labs" <spilabsspidynamics.com>

> The SPI Labs whitepaper on SQL injection has been released. It is
> available in PDF format from:
> http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
>
> Here's the overview:
> SQL injection is a technique for exploiting web applications
> that use client-supplied data in SQL queries without stripping illegal
> characters first. Despite being remarkably simple to protect against,
there
> is an astonishing number of production systems connected to the Internet
> that are vulnerable to this type of attack. The objective of this paper
is
> to educate the professional security community on the techniques that can
be
> used to take advantage of a web application that is vulnerable to SQL
> injection as well as make clear the correct mechanisms that should be put
in
> place to protect against SQL injection, as well as input validations
> problems in general.

I think your "Solutions" section should mention using SQL placeholders. I'm
not sure how many DB API's support this concept, but I know ODBC does, as
does the Perl DBI, and it's the safest way to protect yourself against these
kinds of attacks, and it's a hell of a lot easier and more flexible than
doing "allowed character" fixups.

Matt.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]