The Unexpected SQL Injection
I am pleased to announce that WASC has published a paper I wrote for the security articles project. The project is very nice, because all articles must pass through a critique and voting process by a peer group of security professionals (and I am proud to be among them when not wearing the hat of an author).
The Unexpected SQL Injection
(When Escaping Is Not Enough)
Abstract:
We will look at several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been used. There are two major steps at writing SQL injection resistant code: correct validation and escaping of input and proper use of the SQL syntax. Failure to comply with any of them may lead to compromise. Many of the specific issues are already known, but no single document mentions them all.
Although the examples are built on PHP/MySQL, the same principles apply to ASP/MSSQL and other combinations of languages and databases.
I didn’t understand a word, but I can tell it calls for celebration:) Congrats!
Comment by haz — 17 September 2007, Monday @ 23:19
[…] which has apparently became a bad meme in more than one way. I have already mentioned (as many others did as well way before me) the blunder of using is_numeric(), but a more alarming […]
Pingback by Nature of Man » The Curse of Magic Quotes — 31 October 2007, Wednesday @ 00:28
[…] GRASP (potential) pitfalls The Unexpected SQL Injection The Curse of Magic […]
Pingback by Codex Securitatis » Blog Archive » Vale mundum! — 21 February 2008, Thursday @ 20:43
[…] which has apparently became a bad meme in more than one way. I have already mentioned (as many others did as well way before me) the blunder of using is_numeric(), but a more alarming […]
Pingback by Codex Securitatis » The Curse of Magic Quotes — 7 April 2008, Monday @ 23:20
[…] originally appeared here.) I am pleased to announce that WASC has published a paper I wrote for the security articles […]
Pingback by Codex Securitatis » The Unexpected SQL Injection — 7 April 2008, Monday @ 23:22