WebApp Sec mailing list archives
Re: SQL Injection Basics
From: "dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>
Date: Tue, 11 Feb 2003 11:37:58 -0700
On Tue, Feb 11, 2003 at 04:35:50PM +0100, Sverre H. Huseby wrote:
Consider a system talking to PostgreSQL (or MySQL or any other database that accepts C-style backslash escapes in string constants). If the developer just thinks about the ticks, he may (given
Well IMO why not simply filter out all non alpha and integers. logging everything else and not allowing to form a SQL statement at all? Then allow very select special characters like ; only in a specific position. Just my 2 cents. Best Regards, dreamwvr () dreamwvr com -- /* Security is a work in progress - dreamwvr */ # # Note: To begin Journey type man afterboot,man help,man hier[.] # // "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \? ;-]
Current thread:
- RE: SQL Injection Basics, (continued)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Taco Fleur (Feb 10)
- RE: SQL Injection Basics Robert Nilsen (Feb 10)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Keith Smith (Feb 10)
- Re: SQL Injection Basics Kevin Spett (Feb 10)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Dirk Gomez (Feb 11)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)