Re: how to code to avoid SQL insertion attacks
From: Tor Iver Wilhelmsen (tor.iver.wilhelmsen_at_broadpark.no)
Date: 02/23/05
- Next message: Tor Iver Wilhelmsen: "Re: how to code to avoid SQL insertion attacks"
- Previous message: allelopath: "double declaration"
- In reply to: steve: "Re: how to code to avoid SQL insertion attacks"
- Next in thread: Chris Smith: "Re: how to code to avoid SQL insertion attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 23 Feb 2005 20:18:14 +0100
steve <me@me.com> writes:
> wrong
Not wrong.
> to be able to hinder a hacker , you think like a hacker, whilst this may not
> produce ., ideal code you have to offset it against the risk.
> since he did not specify the risk.
But a hacker does not write the SQL - the programmer does. That's the
point of PreparedStatement, to hinder the hacker in writing SQL.
> it is to GAIN INFORMATION from the database that would not normally be
> available.
And that is not possible since the hacker does not see the SQL.
> the above would not gain any information form the database, since
> you need to know the inner workings of the routine.
It's needlessly cryptic to the developer.
Again: In modern software systems, the code's SQL statements are NOT
VISIBLE to the user/hacker no matter how they are written.
> and that was the whole point, you are not seeing the BIG picture.
We're thankfully not seeing the same picture you are.
> READ THE THREAD.
Where everyone except you are making sense.
- Next message: Tor Iver Wilhelmsen: "Re: how to code to avoid SQL insertion attacks"
- Previous message: allelopath: "double declaration"
- In reply to: steve: "Re: how to code to avoid SQL insertion attacks"
- Next in thread: Chris Smith: "Re: how to code to avoid SQL insertion attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
