Re: Paper: SQL Injection Attacks by Example

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Paper: SQL Injection Attacks by Example
From: Cory Foy <Cory.Foy@xxxxxxxxxxxxx>
Date: Wed, 05 Jan 2005 15:56:28 -0500
In-reply-to: <8DC79B1EA961734C852BE2D5ECC069A001A7E220@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <8DC79B1EA961734C852BE2D5ECC069A001A7E220@xxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

Scovetta, Michael V wrote:

At least in MSSQL, you'd have to do something bad like use sp_executesql
or some other function that will re-form a complete sql query and pass
that to the interpreter. As long as you do more sensible stuff like:

        insert into table (name, age) values (@b, @a)

you should be fine.

Except that I've seen webbie-type people who will execute a stored procby doing:


strSQL = "exec userLogin " + userName + " " + userPassword

which would be still be subject to a SQL Injection attack if I simplyhad a semicolon in the userPassword and then was able to pass any otherquery to it.


Cory

References:
- RE: Paper: SQL Injection Attacks by Example
  - From: Scovetta, Michael V

Prev by Date: Re: Paper: SQL Injection Attacks by Example
Next by Date: RE: Paper: SQL Injection Attacks by Example
Previous by thread: Re: Paper: SQL Injection Attacks by Example
Next by thread: RE: Paper: SQL Injection Attacks by Example
Index(es):
- Date
- Thread