Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: ISA Server and SQL Injection
From: Jeff Robertson (Jeff.RobertsonDigitalInsight.com)
Date: Thu Feb 17 2005 - 13:58:18 CST
> -----Original Message-----
> From: Matthieu Estrade [mailto:mestradeapache.org]
> Sent: Thursday, February 17, 2005 08:58
> To: webappsecsecurityfocus.com
> Subject: Re: ISA Server and SQL Injection
> Yes sure, if you code application using in parameter some SQL
> query, you
> should read "howto do secure code for webapp"....
> Application mainly use value after used by the application inside a
> query, but the query is in the code.
> http://www.toto.com/test.php?product_id=4 is ok and there is
> NO WAY to
> see here some SQL Syntax.
%20id=4 is not ok, and you shoud fire developper doing this....
What if your web app is a web based forum where people discuss web security,
and someone participating in a discussion about SQL Injection wants to post
a message that has some SQL in it? How will the firewall know if from the
Manager of Web Application Security