On Thu, Apr 16, 2009 at 7:56 PM, Stephen Russell <[email protected]> wrote: > On Thu, Apr 16, 2009 at 11:55 AM, MB Software Solutions General > Account <[email protected]> wrote: >> Mike yearwood wrote: >>> Hi Bill >>> >>> Look into parameterizing. That way you don't need to escape values and >>> you prevent sql injection attacks. >> >> Excellent suggestion!!! Is injection completely impossible if you use >> the parameters approach? > ------------------------- > > There are 2 parts to this piece. I read it as "I have to submit text > that contains ' marks" > > Second Q here is if injection is impossible if you use params? > > The answer to that is NO. Is it harder to achieve success in > injection attacks? Much harder but there are vulnerabilities. That > param is read and stored to be used later on in the code, so if your > hack works to make the system unstable your second hack could inject > rights to give some one or something to be used later. Real hard to > determine if they work.
I've mentioned this webpage before: http://www.sommarskog.se/ In particular 'The curse and blessings of dynamic SQL'. Well worth a read. I remember working on VB6 app years ago where you could inject your own SQL code into the username field on the login screen. It was an internal GUI app so unlikely to be hacked, but it's was great introduction to injection. -- Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
