|
On Wed, 3 Jan 2007, Joe Pluta wrote:
From: rob@xxxxxxxxx It has been pointed out to me that my ftp exit point has a bug. I check the first few characters. For example I will only allow you to change directory into certain directories. However, someone pointed out a common error. What about cd /ToDirectoryThatRobInsistsUpon/../TheOneThatTheSneakyBastardWantsInto Other common errors? How about the traditional web hack that someone puts up a search screen that prompts you for certain values? And then passes those values via URL. Then the hack is that you can manipulate how the search data is represented in that url to darn near perform an entirely different SQL statement.Welcome to the web world. The good news, though, is that those exploits are very well documented and you should, with some research, be able to find all of them and address them. The SQL injection technique in particular is a nasty one but one that has some very well-tested workarounds. The SQL exit point can be a real pain, especially since you need to then scan every SQL command and in a high-transaction environment that's going to be ugly performance-wise. That's why I recommend people just turn it off and use a called program or a web service. That way you have much easier control over what's being allowed.
How is this any better than simply using prepared statements? AFAIK prepared statements completely remove the possibility of SQL injection attacks. Statement scanning becomes completely unnecessary.
James Rich It's not the software that's free; it's you. - billyskank on Groklaw
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.