You may also be interested in several papers on SQL Injection
available at:
http://www.nextgenss.com/research/papers.html
These refer to SQL Server, but much of it is relevant
for any database.
Jared
On Friday 29 November 2002 03:18, Tim Bunce wrote:
> An interesting article on SQL Injection attacks (where a database
> query can be modified to perform unintended actions):
>
> http://online.securityfocus.com/infocus/1644
>
> The article has a strong Oracle focus but the issues apply to many
> databases (even more so to those that allow multiple statements in
> a single database request).
>
> Tim.
>
> p.s. Where it says "It is also not possible to SQL inject a call
> that uses bind variables" it means "uses _only_ bind variables".
