|
> From: Nathan M. Andelin > > Thanks for pointing this out. I still feel that OS/400 systems are less > vulnerable to Web hacks than most other systems, but I see the scenario > posed in the article would be possible. Developers who are using SQL in > their applications should beware. You're right of course that we should be aware that people can hack our systems, but this particular problem is more a result of really bad ASP programming than of anything else. The following things are required: 1. An "authentication" database with passwords in the clear. 2. A query against a database built from a string rather than a prepared statement. Either of these can be (and should be) gotten around easily. In fact, injected SQL is only an issue when you are building your SQL statements from strings. Prepared statements avoid this issue entirely, and they've been available in JDBC for quite some time now. I'm pretty sure ASP programming supports prepared statements (if they don't that's a significant weakness). If they do and you still write code like that shown in the article, you probably shouldn't be working in a corporate environment. Joe
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
