Re: how to code to avoid SQL insertion attacks
From: steve (me_at_me.com)
Date: 02/21/05
- Next message: Kanna Akella via JavaKB.com: "sort problem with spread*** - poi"
- Previous message: itamar: "session timeout doesn't work"
- In reply to: Lee Fesperman: "Re: how to code to avoid SQL insertion attacks"
- Next in thread: Thomas Kellerer: "Re: how to code to avoid SQL insertion attacks"
- Reply: Thomas Kellerer: "Re: how to code to avoid SQL insertion attacks"
- Reply: Antti S. Brax: "Re: how to code to avoid SQL insertion attacks"
- Reply: Chris Smith: "Re: how to code to avoid SQL insertion attacks"
- Reply: Lee Fesperman: "Re: how to code to avoid SQL insertion attacks"
- Reply: Kevin McMurtrie: "Re: how to code to avoid SQL insertion attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 21 Feb 2005 22:44:47 +0800
On Sat, 19 Feb 2005 18:00:34 +0800, Lee Fesperman wrote
(in article <42170CAE.5300@ix.netcom.com>):
> steve wrote:
>>
>> On Wed, 16 Feb 2005 06:58:52 +0800, Lee Fesperman wrote
>> (in article <42127D1C.6C@ix.netcom.com>):
>>
>>> bighead4694@hotmail.com wrote:
>>>>
>>>> My backend DBMS is Oracle.
>>>
>>> Great! AFAIK, they have native support for prepared statements.
>>> Simply pass all arguments received externally as ? parameters
>>> to your prepared statement. This will
>>> protect you against SQL insertion/injection attacks.
>>>
>>> Please respond if you need more help/info...
>>>
>>>
>>
>> no it will not!!.
>
> Kindly explain, or apologize for calling people idiots.
>
>
Nope , i don't think so, get over it.
Then take a look at the replies.
I find it offensive when i see piss poor replies to people who require
genuine help.
We have a guy that has requested help, which is fine.
However i see only 1 reasonable reply, and that is to use stored procedures,
and call outs. (remembering that the
'helpee' did not give any information on the application/security level, but
DID state he was using Oracle)
and then there is your reply. ( use prepared statements && ?)
consider the code:
String sql =
"Select object_code,client_file_name,filedatestamp from
client_code_java where deleted=0 and rep_index=?";
PreparedStatement st = dbconn.prepareStatement(sql);
st.setString(1, indexkey); // Bind the replication index
rset = st.executeQuery(); // Execute Query
this satisfies your reply of "using ?" and prepared statements
Is it secure?
hmm
1. String sql ="Select * from client_code_java where ?=null";
2. String sql ="Select * from client_code_java where ?<>null";
( null can be anything and 'nothing', it is null)
3. indexkey='"";
so far that is 3 ways to attack this "perfect" system.
that's not even considering how to easily recover passwords from an oracle
thin JDBC connection.
Which would make any prepared statement and '?' F**&K useless.
now consider how you would hack:
String The_qry ="{ call
external_user.fgfdgfddfg.asa(?,?,?,?,?,?,?,?,?,?,?,?,?)}";
where "external_user" has connect privs. only.
replies on a postage stamp please.
if people require help, then help, but if you have not thought about the
question then STFU.
Steve.
- Next message: Kanna Akella via JavaKB.com: "sort problem with spread*** - poi"
- Previous message: itamar: "session timeout doesn't work"
- In reply to: Lee Fesperman: "Re: how to code to avoid SQL insertion attacks"
- Next in thread: Thomas Kellerer: "Re: how to code to avoid SQL insertion attacks"
- Reply: Thomas Kellerer: "Re: how to code to avoid SQL insertion attacks"
- Reply: Antti S. Brax: "Re: how to code to avoid SQL insertion attacks"
- Reply: Chris Smith: "Re: how to code to avoid SQL insertion attacks"
- Reply: Lee Fesperman: "Re: how to code to avoid SQL insertion attacks"
- Reply: Kevin McMurtrie: "Re: how to code to avoid SQL insertion attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
