Re: SQL injection

["DokFLeed" <dokfleed () dokfleed net>]

there was a CGI Shield once http://cgishield.com/ ,
I am not sure what happened to the Author, domain is for sale, so I tried 
to go on with the Project for more than a year

It stops web Attacks, including SQL injections

"IRax, is a PHP Gateway, it can be integrated in any Web Application to stop 
known atax.
it prevents,SQL injections, XSS, and many other known atax. It depends 
mainly on PHP CLIENT/SERVER socket scripting  "

http://www.dokfleed.net/irax/
its signature based,
* signature file is separated
* exceptions pages & fields are allowed
* reporting templates built-in
* faster interception engine
* recoded reporting server

All contributions are welcomed,
DokFLeed


----- Original Message ----- 
From: "Hernán M. Racciatti" <hracciatti () gmail com>
To: <pen-test () securityfocus com>
Sent: Friday, June 10, 2005 10:40 PM
Subject: Re: SQL injection


On 6/10/05, Leandro Reox <lmet5on () fibertel com ar> wrote:

> Like Todd says "nothing is 100% secure"

Is the real life...

> so wellcoded web apps + good sigs
> based detections + good db diagramming + a lot of conscience makes a nice
> combo.

I agree, but I would add one or two additional items: security in
depth and less privileges...

p.d: In SQL Injection tactics, evasion OFTEN is possible ej:

'OR 1=1--
'OR1=1--
'or2>1--
%27%4f%52%20%31%3d%31%2d%2d
%27%4f%52%20'a'=N'a'
etc...

Config n signatures is theoretically possible, but not in practical terms...

Clean code is the only last defense..

My 2 cent.
Bye.

--
Hernán Marcelo Racciatti

Core Team Member ISECOM (Institute for Security and Open Methodologies)
Coordinator OISSG, Argentina (Open Information System Security Group)

[mailto:hracciatti () gmail com]
[http://www.hernanracciatti.com.ar]