WebApp Sec mailing list archives

RE: ISA Server and SQL Injection

From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>
Date: Thu, 17 Feb 2005 14:58:18 -0500

-----Original Message-----
From: Matthieu Estrade [mailto:mestrade () apache org]
Sent: Thursday, February 17, 2005 08:58
To: webappsec () securityfocus com
Subject: Re: ISA Server and SQL Injection

Yes sure, if you code application using in parameter some SQL 
query, you 
should read "howto do secure code for webapp"....
Application mainly use value after used by the application inside a 
query, but the query is in the code.

http://www.toto.com/test.php?product_id=4 is ok and there is 
NO WAY to 
see here some SQL Syntax.

http://www.toto.com/test.php?product_id=SELECT%20*%20FROM%20pr

oduct%20WHERE 
%20id=4 is not ok, and you shoud fire developper doing this....

What if your web app is a web based forum where people discuss web security,
and someone participating in a discussion about SQL Injection wants to post
a message that has some SQL in it? How will the firewall know if from the
real thing?


Jeff Robertson
Manager of Web Application Security
Digital Insigh

Current thread:

Re: ISA Server and SQL Injection, (continued)
- - - Re: ISA Server and SQL Injection Bogdan Tomchuk (Feb 16)
    - Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
    - Re: ISA Server and SQL Injection Bogdan Tomchuk (Feb 17)
    - Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
    - RE: ISA Server and SQL Injection Marty Block (Feb 19)
    - Re: ISA Server and SQL Injection fantomas (Feb 28)
- RE: ISA Server and SQL Injection Hofmeyr, Michael (ZA - Johannesburg) (Feb 15)
  - Re: ISA Server and SQL Injection Darren Bounds (Feb 16)
- RE: ISA Server and SQL Injection charles freeman (Feb 16)
- RE: ISA Server and SQL Injection Roberto GABERGI (Feb 17)
- RE: ISA Server and SQL Injection Jeff Robertson (Feb 17)
  - Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- RE: ISA Server and SQL Injection Sebastien Deleersnyder (Feb 19)
  - Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
    - RE: ISA Server and SQL Injection Ofer Shezaf (Feb 21)
    - RE: ISA Server and SQL Injection Mark Curphey (Feb 21)
    - Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 23)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] David (Feb 23)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 28)
    - storing SSNs, CCNs, password in the DB Francesco (Feb 28)
    - Re: storing SSNs, CCNs, password in the DB Adam Shostack (Feb 28)

(Thread continues...)