WebApp Sec mailing list archives
RE: SQL Injection
From: "Michael Silk" <michaels () phg com au>
Date: Thu, 10 Jun 2004 09:01:56 +1000
Hi Gunter, I fail to see site who mititages SQL Injection via appropriate escaping can be susceptible to SQL Injection due to XSS. On that note, if XSS and SQL Injection are both possible, stopping XSS will not stop SQL Injection, however it may allow for some more sneaky implementations of it. I was attempting to clear up the thought that the other poster had who seemed to think by stopping XSS he would also stop SQL Injection, of course this isn't true. -- Michael -----Original Message----- From: WebAppSecurity [Technicalinfo.net] [mailto:webappsec () technicalinfo net] Sent: Thursday, 10 June 2004 5:10 AM To: Michael Silk; 'Steven M. Christey'; webappsec () securityfocus com Subject: RE: SQL Injection
There are many many more possibilities for XSS then simply the <script> tag, of course it depends on where the resulting string ends up, but simply replacing the <script> tag is *not* enough.
You may want to have a read of http://www.technicalinfo.net/papers/CSS.html which goes into some of the alternitive atack vectors - and can readily ported across for SQL insertion... In fact any code insertion attack vectors. Cheers, Gunter This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.
Current thread:
- Re: SQL Injection, (continued)
- Re: SQL Injection Jeff Williams (Jun 08)
- Re: SQL Injection saphyr (Jun 09)
- Request for comments - French readers saphyr (Jun 08)
- Re: SQL Injection Steven M. Christey (Jun 08)
- RE: SQL Injection Michael Howard (Jun 09)
- RE: SQL Injection or XML gcb33 (Jun 09)
- RE: SQL Injection Michael Howard (Jun 09)
- RE: SQL Injection Michael Silk (Jun 09)
- RE: SQL Injection WebAppSecurity [Technicalinfo.net] (Jun 10)
- RE: SQL Injection stevenr (Jun 09)
- RE: SQL Injection Michael Silk (Jun 09)
- RE: SQL Injection V. Poddubniy (Jun 10)
- encryption over the web OPTUSBYS (Jun 14)
- Re: encryption over the web Sam (Jun 14)
- Re: encryption over the web Keith W. McCammon (Jun 14)
- Re: encryption over the web Ivan Krstic (Jun 14)
- Re: encryption over the web Paul Johnston (Jun 14)
- Re: encryption over the web Pawel Jablonski (Jun 14)
- Re: encryption over the web Frank Knobbe (Jun 16)
- RE: encryption over the web Fan Zhang (Jun 16)
- Re: encryption over the web Lucas Holt (Jun 16)
- encryption over the web OPTUSBYS (Jun 14)