WebApp Sec mailing list archives
RE: ISA Server and SQL Injection
From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>
Date: Thu, 17 Feb 2005 14:58:18 -0500
-----Original Message----- From: Matthieu Estrade [mailto:mestrade () apache org] Sent: Thursday, February 17, 2005 08:58 To: webappsec () securityfocus com Subject: Re: ISA Server and SQL Injection Yes sure, if you code application using in parameter some SQL query, you should read "howto do secure code for webapp".... Application mainly use value after used by the application inside a query, but the query is in the code. http://www.toto.com/test.php?product_id=4 is ok and there is NO WAY to see here some SQL Syntax. http://www.toto.com/test.php?product_id=SELECT%20*%20FROM%20pr
oduct%20WHERE %20id=4 is not ok, and you shoud fire developper doing this.... What if your web app is a web based forum where people discuss web security, and someone participating in a discussion about SQL Injection wants to post a message that has some SQL in it? How will the firewall know if from the real thing? Jeff Robertson Manager of Web Application Security Digital Insigh
Current thread:
- Re: ISA Server and SQL Injection, (continued)
- Re: ISA Server and SQL Injection Bogdan Tomchuk (Feb 16)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- Re: ISA Server and SQL Injection Bogdan Tomchuk (Feb 17)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- RE: ISA Server and SQL Injection Marty Block (Feb 19)
- Re: ISA Server and SQL Injection fantomas (Feb 28)
- Re: ISA Server and SQL Injection Darren Bounds (Feb 16)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
- RE: ISA Server and SQL Injection Ofer Shezaf (Feb 21)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 21)
- Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] David (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 28)
- storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Adam Shostack (Feb 28)