WASC-Articles Announcement: "The Unexpected SQL Injection" by Alexander "Mordred" Andonov

[announcements () webappsec org]

WASC is proud to present a new WASC-article titled "The Unexpected SQL
Injection" by Alexander "Mordred" Andonov. This article surveys several
scenarios under which SQL injection may occur, even though
mysql_real_escape_string() has been used. There are two major steps at
writing SQL injection resistant code: correct validation and escaping of
input and proper use of the SQL syntax. Failure to comply with any of
them may lead to compromise. Many of the specific issues are already
known, but no single document mentions them all.
 
Although the examples in the paper make use of PHP/MySQL, the same
principles apply to ASP/MSSQL and other combinations of languages and
databases.
 
The paper can be found in
http://www.webappsec.org/projects/articles/091007.shtml
 
Regards,
The WASC-Articles team
http://www.webappsec.org/projects/articles/
http://www.webappsec.org/ The Web Application Security Consortium



-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------