> Message: 7 > Date: Thu, 16 Apr 2009 13:56:27 -0500 > From: Stephen Russell <[email protected]> > Subject: Re: String With Apostrophes, etc Into MySql > To: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > On Thu, Apr 16, 2009 at 11:55 AM, MB Software Solutions General > Account <[email protected]> wrote: >> Mike yearwood wrote: >>> Hi Bill >>> >>> Look into parameterizing. That way you don't need to escape values and >>> you prevent sql injection attacks. >> >> >> Excellent suggestion!!! ?Is injection completely impossible if you use >> the parameters approach? > ------------------------- > > There are 2 parts to this piece. I read it as "I have to submit text > that contains ' marks" > > Second Q here is if injection is impossible if you use params? > > The answer to that is NO. Is it harder to achieve success in > injection attacks? Much harder but there are vulnerabilities. That > param is read and stored to be used later on in the code, so if your > hack works to make the system unstable your second hack could inject > rights to give some one or something to be used later. Real hard to > determine if they work.
Please demonstrate. Parameters eliminate attacks. If a param is stored in a table and a programmer concatenates that param into a new SQL even that injection is prevented via parameterization. Queries don't execute the contents of the fields so stored "injection" params wouldn't cause SQL to do anything. _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
