[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] FW: Introducing a new generic approach to detecting SQL injection

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] FW: Introducing a new generic approach to detecting SQL injection
From: Mohit Muthanna <mohit.muthanna@xxxxxxxxx>
Date: Wed, 20 Apr 2005 16:14:09 -0400

> As you know, blocking SQL injection with filters on characters is painful and
> not always successful. I got thinking about it and thought of an approach

Painful? That's just an excuse for being lazy. (No offense intended.)

Not always successful? ... I don't get this, why not?

There are a number of tools and libraries that will quite easily and
robustly handle quoting / escaping issues for you. E.g., perl's DBI
module handles all your quoting issues by way of prepared statements.

All it takes is a little forethought and a lot less laziness.

Mohit.

--
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] FW: Introducing a new generic approach to detecting SQL injection
  - From: Glenn.Everhart

Prev by Date: Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Next by Date: Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
Previous by thread: RE: [Full-disclosure] FW: Introducing a new generic approach todetecting SQL injection
Next by thread: Re: [Full-disclosure] FW: Introducing a new generic approach to detecting SQL injection
Index(es):
- Date
- Thread