WebApp Sec mailing list archives
RE: Current Project Design, Comments?
From: Michael Loll <mloll () pointetech com>
Date: Fri, 14 Feb 2003 16:15:45 -0500
Kevin, Try this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht ml/secnetlpMSDN.asp Yes, I'm only using Stored Procedures for data access/updating. Any time a user wishes to touch the database it will be through our application, no where else. Though I guess an Oracle administrator COULD do whatever they wanted, but you can't stop that. -----Original Message----- From: Kevin Spett [mailto:kspett () spidynamics com] Sent: Friday, February 14, 2003 4:03 PM To: Michael Loll; webappsec () securityfocus com Subject: Re: Current Project Design, Comments? Hmmm... a hot week for SQL injection questions. Simply use Prepared Statements, Stored Procedures and Command Objects to access the database. No "string built" queries. The easiest way to enforce and test this is to make sure that the *only* thing the web app's DB user has access to is a set of stored procedures... It shouldn't even be allowed to run arbitrary SELECT statements on relevent tables. BTW, could you throw out a link to said whitepaper?
Current thread:
- Current Project Design, Comments? Michael Loll (Feb 14)
- Re: Current Project Design, Comments? Kevin Spett (Feb 14)
- <Possible follow-ups>
- RE: Current Project Design, Comments? Brass, Phil (ISS Atlanta) (Feb 14)
- RE: Current Project Design, Comments? Michael Loll (Feb 14)
- RE: Current Project Design, Comments? Michael Loll (Feb 14)
- RE: Current Project Design, Comments? securityarchitect (Feb 14)
- RE: Current Project Design, Comments? Logan F.D. Greenlee (Feb 14)
- RE: Current Project Design, Comments? Michael Loll (Feb 14)
- RE: Current Project Design, Comments? Tim Aranki (Feb 14)
- RE: Current Project Design, Comments? Scott (Feb 14)
- RE: Current Project Design, Comments? Gal Rozov (Feb 17)
- RE: Current Project Design, Comments? Michael Loll (Feb 17)
- RE: Current Project Design, Comments? TUER, DON (Feb 17)
- RE: Current Project Design, Comments? Douglas Schlenker (Feb 17)
(Thread continues...)