Re: [SC-L] Lateral SQL injection paper

2008-04-29 Thread Joe Teff
If I use Parameterized queries w/ binding of all variables, I'm 100% immune to SQL Injection. Sure. You've protected one app and transferred risk to any other process/app that uses the data. If they use that data to create dynamic sql, then what? jt -Original Message- From: Jim

Re: [SC-L] Lateral SQL injection paper

2008-04-29 Thread Steven M. Christey
On Tue, 29 Apr 2008, Joe Teff wrote: If I use Parameterized queries w/ binding of all variables, I'm 100% immune to SQL Injection. Sure. You've protected one app and transferred risk to any other process/app that uses the data. If they use that data to create dynamic sql, then what?

Re: [SC-L] Lateral SQL injection paper

2008-04-29 Thread Pascal Meunier
If I understand this correctly, it's difficult to exploit because if you can alter database types, you probably can send arbitrary SQL statements to the database somehow already. In that case, what extra capabilities does this attack give you? When I design applications using Postgresql, I

Re: [SC-L] Lateral SQL injection paper

2008-04-29 Thread Arian J. Evans
So I'd like to pull this back to a few salient points. Weirdly, some folks seem quick to dismiss the paper with a didactic shot of folks shouldn't code that way anyway which has nothing to do with the subject. 1. I think everyone on SC-L gets the idea of strong patterns and implementations, and