Full Disclosure mailing list archives

Re: FW: Introducing a new generic approach to detecting SQL injection

From: Mohit Muthanna <mohit.muthanna () gmail com>
Date: Wed, 20 Apr 2005 16:14:09 -0400

As you know, blocking SQL injection with filters on characters is painful and
not always successful. I got thinking about it and thought of an approach


Painful? That's just an excuse for being lazy. (No offense intended.)

Not always successful? ... I don't get this, why not?

There are a number of tools and libraries that will quite easily and
robustly handle quoting / escaping issues for you. E.g., perl's DBI
module handles all your quoting issues by way of prepared statements.

All it takes is a little forethought and a lot less laziness.

Mohit.

--
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

FW: Introducing a new generic approach to detecting SQL injection Glenn.Everhart (Apr 19)
- RE: FW: Introducing a new generic approach todetecting SQL injection Paul Melson (Apr 19)
- Re: FW: Introducing a new generic approach to detecting SQL injection Mohit Muthanna (Apr 20)
- Re: FW: Introducing a new generic approach to detecting SQL injection Paul J. Morris (Apr 22)
  - Re: FW: Introducing a new generic approach to detecting SQL injection Mohit Muthanna (Apr 22)
    - Re: FW: Introducing a new generic approach to detecting SQL injection Paul J. Morris (Apr 22)
    - Message not available
    - Re: FW: Introducing a new generic approach to detecting SQL injection Paul J. Morris (Apr 22)
    - Re: FW: Introducing a new generic approach to detecting SQL injection Mohit Muthanna (Apr 23)
    - Re: FW: Introducing a new generic approach to detecting SQL injection Bipin Gautam (Apr 23)