[EMAIL PROTECTED] wrote:
Kenneth Downs wrote:
1) SQL Injection does not let them do anything they can't do anyway,
so at most it is a waste of the hacker's time
Many things are a waste of the cracker's time, but they do them
anyway. So counting on the result not being worth the time of cracker
is wishful thinking. :-)
The focus is on "...does not let them do anything they can't do
anyway...." If the hacker wants to test the SQL injection abilities,
let them. Let them have fun. Let them learn. The real question is,
can they do harm? And the answer is NO, not if they are connected to
the database with an account that has limited security abilities.
2) Our user interface design focuses on the idea that they should see
everything they can do, and everything they can see they can do.
Again, SQL Injection only gives them a really crude way to do
something that's probably on the menu!
Hmm, I think in terms of online stores and credits. Sure, the person
can purchase a credit and have the data in their user record updated,
but it is so much cheaper to do an "update usertable set credits=10000
where uid = 'me')
See Rusty's comment and my reply on row-level and column-level security.
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
