|
>The following things are required: >1. An "authentication" database with passwords in the clear. >2. A query against a database built from a string rather than a prepared >statement. Maybe in the specific example shown an "authentication" database is needed, however the problem of SQL Injection exists regardless of the authentication method used or even the existence of authentication. ASP does also support prepared statements. Technically the data access is OLE/DB or ODBC, both of which have supported prepared statements since they were born. And yes, prepared statements solve this problem. However, many programmers don't use them, in ASP or JSP. I'm not justifying the fact, just stating it. SQL Injection is a problem on any platform. To say that the problem is due to "really bad ASP programming" is just inflammatory. I'll agree that's it's due to really bad programming, but ASP has nothing to do with it. You can cause the same problem in JSP, J2EE, PHP, Perl, C, C++, Pascal, Cobol, RPG... You get the point. There's nothing in this issue that's Microsoft's fault, don't pin it there. -Walden ------------ Walden H Leverich III President & CEO Tech Software (516) 627-3800 x11 (208) 692-3308 eFax WaldenL@xxxxxxxxxxxxxxx http://www.TechSoftInc.com Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) -----Original Message----- From: Joe Pluta [mailto:joepluta@xxxxxxxxxxxxxxxxx] Sent: Wednesday, February 04, 2004 12:59 PM To: 'Midrange Systems Technical Discussion' Subject: RE: Research Project- Sources Outside the AS/400 & How these affectSecurity > From: Nathan M. Andelin > > Thanks for pointing this out. I still feel that OS/400 systems are less > vulnerable to Web hacks than most other systems, but I see the scenario > posed in the article would be possible. Developers who are using SQL in > their applications should beware. You're right of course that we should be aware that people can hack our systems, but this particular problem is more a result of really bad ASP programming than of anything else. The following things are required: 1. An "authentication" database with passwords in the clear. 2. A query against a database built from a string rather than a prepared statement. Either of these can be (and should be) gotten around easily. In fact, injected SQL is only an issue when you are building your SQL statements from strings. Prepared statements avoid this issue entirely, and they've been available in JDBC for quite some time now. I'm pretty sure ASP programming supports prepared statements (if they don't that's a significant weakness). If they do and you still write code like that shown in the article, you probably shouldn't be working in a corporate environment. Joe _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
