WebApp Sec mailing list archives

Re: Current Project Design, Comments?

From: "Kevin Spett" <kspett () spidynamics com>
Date: Fri, 14 Feb 2003 16:03:23 -0500

Hmmm... a hot week for SQL injection questions.  Simply use Prepared
Statements, Stored Procedures and Command Objects to access the database.
No "string built" queries.  The easiest way to enforce and test this is to
make sure that the *only* thing the web app's DB user has access to is a set
of stored procedures... It shouldn't even be allowed to run arbitrary SELECT
statements on relevent tables.

BTW, could you throw out a link to said whitepaper?



Kevin Spett
SPI Labs
http://www.spidynamics.com/

Pretty standard in the web world, correct?  I am still trying to figure

out

a universal way to handle SQL injections.  I garnered most of this from
Microsoft's whitepaper on secure ASP.NET applications.


--
Michael Loll
Consultant / Pointe Technology Group, Inc.
mloll () pointetech com / www.pointetech.com


* This email is my opinion and not that of my employer.

Current thread:

Current Project Design, Comments? Michael Loll (Feb 14)
- Re: Current Project Design, Comments? Kevin Spett (Feb 14)
- <Possible follow-ups>
- RE: Current Project Design, Comments? Brass, Phil (ISS Atlanta) (Feb 14)
- RE: Current Project Design, Comments? Michael Loll (Feb 14)
- RE: Current Project Design, Comments? Michael Loll (Feb 14)
- RE: Current Project Design, Comments? securityarchitect (Feb 14)
- RE: Current Project Design, Comments? Logan F.D. Greenlee (Feb 14)
- RE: Current Project Design, Comments? Michael Loll (Feb 14)
  - RE: Current Project Design, Comments? Tim Aranki (Feb 14)
- RE: Current Project Design, Comments? Scott (Feb 14)
- RE: Current Project Design, Comments? Gal Rozov (Feb 17)
- RE: Current Project Design, Comments? Michael Loll (Feb 17)

(Thread continues...)