|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: ISA Server and SQL Injection
From: Jeff Robertson (Jeff.Robertson
DigitalInsight.com)
Date: Thu Feb 17 2005 - 13:58:18 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> -----Original Message-----
> From: Matthieu Estrade [mailto:mestradeapache.org]
> Sent: Thursday, February 17, 2005 08:58
> To: webappsecsecurityfocus.com
> Subject: Re: ISA Server and SQL Injection
>
> Yes sure, if you code application using in parameter some SQL
> query, you
> should read "howto do secure code for webapp"....
> Application mainly use value after used by the application inside a
> query, but the query is in the code.
>
> http://www.toto.com/test.php?product_id=4 is ok and there is
> NO WAY to
> see here some SQL Syntax.
>
> http://www.toto.com/test.php?product_id=SELECT%20*%20FROM%20pr
oduct%20WHERE
%20id=4 is not ok, and you shoud fire developper doing this....
What if your web app is a web based forum where people discuss web security,
and someone participating in a discussion about SQL Injection wants to post
a message that has some SQL in it? How will the firewall know if from the
real thing?
Jeff Robertson
Manager of Web Application Security
Digital Insigh
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]