[PLUG] SQL insertion attacks
Dylan Reinhardt
plug at dylanreinhardt.com
Wed Oct 30 18:21:28 UTC 2002
SQL insertion isn't a platform issue so much as a SQL/middleware
issue. Sanitizing all user input before passing it to a database engine
is a crucial (but often overlooked) practice.
SQL is a pretty powerful language and if you're able to pass arbitrary
strings to the DB engine, virtually anything is possible, particularly if
you have some knowledge of the implementation details.
An excellent study in some of the relevant issues can be found here:
http://www.sensepost.com/misc/SQLinsertion.htm
More information about the PLUG
mailing list