Re: A case of SQL injection

Tue, 05 Nov 2002 13:32:27 -0800 

Just a question. Please dont take it wrong.

Can you send a "DROP TABLE mytable" in the following example of a XSP page? I 
am using mod-db stuff too.

<esql:execute-query>
  <esql:query>
    SELECT * FROM mytable
    WHERE mytable_id=
        <esql:parameter type="int">
          <xsp:expr>
                Integer.parseInt(
                        <xsp-request:get-parameter name="id" default="0"/>
                )
           </xsp:expr>
         </esql:parameter>
    </esql:query>
</esql:execute-query>

Antonio Gallardo



El Martes, 05 de Noviembre de 2002 14:38, Geoff Howard escribió:
> I just tried it.  Logging in as
>
> Donald Ball'; DROP TABLE employee;
>
> does exactly what you think it would.  It drops the
> table and the next time you try to log in, the table
> is gone and logins fail (DOH - does the hsql db get
> regenerated automatically somehow?)
>
> I have to run out but will put this in Bugzilla later.
>
>
> This combined with the fact that the mod-db stuff
> almost forces you to reveal your actual table and
> column names to the world in your request parameters
> amounts to big trouble.
>
> Geoff
>
> --- Torsten Curdt <[EMAIL PROTECTED]> wrote:
> > On Tue, 2002-11-05 at 19:53, Geoff Howard wrote:
> > > Speaking of protecting against SQL injection - is
> >
> > it
> >
> > > generally known that
> >
> > DatabaseAuthenticatorAction.java
> >
> > > is not using PreparedStatement?  I wonder what
> >
> > logging
> >
> > > in as
> > > Donald Ball'; DROP TABLE user_table;
> > >
> > > would do...?
> >
> > Do you mind trying out and file a bug in bugzilla?
> > ;)
> > --
> > Torsten
>
> ---------------------------------------------------------------------
>
> > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, email:
> > [EMAIL PROTECTED]
>
> __________________________________________________
> Do you Yahoo!?
> HotJobs - Search new jobs daily now
> http://hotjobs.yahoo.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Reply via email to