[Tim.Bunce@pobox.com: "SQL Injection" attacks - database security issues]
Eric Eisenhart
ee at eric.eisenhart.name
Fri Nov 29 12:02:58 PST 2002
An interesting article about why it's a *really* good idea for you SQL
database querying applications to use placeholders / bind variables
instead of interpolation.
(there was a little discussion about this during Mark's PHP talk)
----- Forwarded message from Tim Bunce <Tim.Bunce at pobox.com> -----
List-Subscribe: <mailto:dbi-announce-subscribe at perl.org>
From: Tim Bunce <Tim.Bunce at pobox.com>
To: dbi-announce at perl.org
Cc: dbi-users at perl.org
Subject: "SQL Injection" attacks - database security issues
An interesting article on SQL Injection attacks (where a database
query can be modified to perform unintended actions):
http://online.securityfocus.com/infocus/1644
The article has a strong Oracle focus but the issues apply to many
databases (even more so to those that allow multiple statements in
a single database request).
Tim.
p.s. Where it says "It is also not possible to SQL inject a call
that uses bind variables" it means "uses _only_ bind variables".
----- End forwarded message -----
--
Eric Eisenhart
NBLUG Co-Founder & President Pro Tempore for Life
The North Bay Linux Users Group
http://nblug.org/
eric at nblug.org, IRC: Freiheit at freenode, AIM: falschfreiheit, ICQ: 48217244
More information about the talk
mailing list