Not necessary, for example a SQL query like SELECT * FROM users WHERE username='$username' AND password='$password'
A maliciousness user could enter a username and password like bla' OR '1' = '1 and end up logging you in as the first user - often an admin user. because with naive string substition the query would be SELECT * FROM users WHERE username='bla' OR '1' = '1' AND password='bla' OR '1' = '1' which on many databases would just match every row. That exact form wouldnt work on GQL either, but pretty sure there would be similar ones. On 29 November 2010 20:09, Ikai Lan (Google) <[email protected]> wrote: > Doesn't that require the SQL parser to understand semi-colons? GQL does not. > -- > Ikai Lan > Developer Programs Engineer, Google App Engine > Blogger: http://googleappengine.blogspot.com > Reddit: http://www.reddit.com/r/appengine > Twitter: http://twitter.com/app_engine > > > On Fri, Nov 26, 2010 at 6:41 AM, Barry Hunter <[email protected]> > wrote: >> >> Even read-only SQL injection has its 'uses'. Ie. it can be used to >> exploit 'SELECT's. >> >> For example, in some systems, depending on how login is implemented >> its possible to use SQL injection to login as an admin user - to pick >> one possible use. >> >> On 26 November 2010 13:38, Tim Hoffman <[email protected]> wrote: >> > GQL is read only , so you can't inject anything if your using GQL, or >> > for that matter Query objects. >> > >> > T >> > >> > On Nov 26, 8:37 pm, pdknsk <[email protected]> wrote: >> >> And by clarify I mean verify. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Google App Engine" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group at >> > http://groups.google.com/group/google-appengine?hl=en. >> > >> > >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
