Re: Witango-Talk: SQL injection prevention

Tue, 04 Apr 2006 07:18:17 -0700 

Bill,
I was wondering about this recently also and found some interesting tidbits. One is that at least in SQL Server, when you use an insert/update action, the SQL is actually executed by Witango calling one of the built-in stored procedures to execute the sql passed to it by Witango. So SQL Server's built-in protection against SQL injection through stored procedures is in place. However... when you use a Direct DBMS action, it looks like it's directly executed SQL, not through the use of a stored procedure, so therefore you would have some exposure here if you were using a direct DBMS action to insert or update something with contents from a user form. I'm not certain that this would be a real risk, but looking at the trace log in SQL Server it seems to be the case. 


I don't know how different it is in other DB's, but at least according 
to MS if you use stored procedures to process queries, you are protected 
from SQL injection attacks.



Anyone else done any research on this? (I'm betting that Mr. Shubert and 
Mr. Garcia have some experience here, among others...)


Jason

William M Conlon wrote:

I've been trying looking for vulnerabilities by attack my Witango code 
a la


http://www.securiteam.com/securityreviews/5DP0N1P76E.html

It looks like the Witango's SQLENCODING is doing the trick.


I guess it's like magic_quotes() in php. There seems to be a lot of 
controversy about magic-quotes, mostly philosophical, about preferring 
to escape instead.  I don't want to start a debate about escaping 
versus doubling single quotes.



But I would like to hear if anybody has found the need for any other 
SQL filtering.


Bill

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf

Visit us at http://www.northsails.com

[This E-mail scanned for viruses by Declude Virus]



--
Jason Pamental
Director of Web Services
North Sails

Office: 401.643.1415
Fax: 401.643.1420
Mobile: 401.743.4406
Email: [EMAIL PROTECTED]



________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf






















					Reply via email to