Let me suggest something a little differently:
Perhaps when speaking of web app security, an already enormous area, it is
not so useful to enlarge it still more, but fools rush in.
One way to look at web code (and many other kinds) is that we are sending
strings to an interpreter and it does
Manico [EMAIL PROTECTED]
To: Kenneth Van Wyk [EMAIL PROTECTED]
Cc: Secure Coding SC-L@securecoding.org
Date: Mon, 28 Apr 2008 15:27:58 -0400
Subject: Re: [SC-L] Lateral SQL injection paper
Anyone else have a take on this new attack method?
If I use Parameterized queries w/ binding of all
On Tue, 29 Apr 2008, Joe Teff wrote:
If I use Parameterized queries w/ binding of all variables, I'm 100%
immune to SQL Injection.
Sure. You've protected one app and transferred risk to any other
process/app that uses the data. If they use that data to create dynamic
sql, then what?
If I understand this correctly, it's difficult to exploit because if you can
alter database types, you probably can send arbitrary SQL statements to the
database somehow already. In that case, what extra capabilities does this
attack give you?
When I design applications using Postgresql, I
So I'd like to pull this back to a few salient points. Weirdly,
some folks seem quick to dismiss the paper with a
didactic shot of folks shouldn't code that way anyway
which has nothing to do with the subject.
1. I think everyone on SC-L gets the idea of strong
patterns and implementations, and
Greetings SC-Lers,
Things have been pretty quiet here on the SC-L list...
I hope everyone saw David Litchfield's recent announcement of a new
category of SQL attacks. (Full paper available at http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf)
He refers to this new category as
David's papers are always interesting, but I think
the most interesting thing is that we are starting
to see advanced SQL injection like his recent
work on cursor attacks/snarfing being used in the
wild in mass-SQL injection exploits.
Attackers are using multiple layers of encoding for
both
Anyone else have a take on this new attack method?
If I use Parameterized queries w/ binding of all variables, I'm 100%
immune to SQL Injection.
In Java (for Insert/Update/etc) just use PreparedStatement + variable
binding.
There are similar constructs in all languages.
Although the