[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Paper: SQL Injection Attacks by Example

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Paper: SQL Injection Attacks by Example
From: Cory Foy <Cory.Foy@xxxxxxxxxxxxx>
Date: Wed, 05 Jan 2005 15:56:28 -0500

Scovetta, Michael V wrote:

At least in MSSQL, you'd have to do something bad like use sp_executesql
or some other function that will re-form a complete sql query and pass
that to the interpreter. As long as you do more sensible stuff like:

insert into table (name, age) values (@b, @a)

you should be fine.

Except that I've seen webbie-type people who will execute a stored proc by doing:

strSQL = "exec userLogin " + userName + " " + userPassword

which would be still be subject to a SQL Injection attack if I simply had a semicolon in the userPassword and then was able to pass any other query to it.

Cory

References:
- RE: Paper: SQL Injection Attacks by Example
  - From: Scovetta, Michael V

Prev by Date: RE: Paper: SQL Injection Attacks by Example
Next by Date: RE: Paper: SQL Injection Attacks by Example
Previous by thread: Re: Paper: SQL Injection Attacks by Example
Next by thread: RE: Paper: SQL Injection Attacks by Example
Index(es):
- Date
- Thread