[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
- From: "dpw" <dainw@xxxxxxx>
- Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
- Date: Mon, 10 Apr 2006 14:51:31 -0700
Interesting - not being a java developer, I realize there's probably a
disconnect. We prefer (and rely on) "parameterized queries" here.
Being a simple unwashed heathen web-monkey, my term "parameterized query" is
probably not the right term...
What I refer to as "parameterized query" is the act of passing the stored
procedure parameters into the connection via an array, rather than as
strings.
...in a nutshell:
IDValue = Request("IDValue)
SQL = "Table_GetByID"
ParameterArray = Array(IDValue)
set RS = Exec(SQL,ParameterArray)
function Exec(StoredProcedure,ParameterArray)
set cmd = Server.CreateObject("ADODB.Command")
cmd.Connection = GetConnectionString() 'defined elsewhere
cmd.CommandText = StoredProcedure
cmd.CommandType = 4
call cmd.Execute(,ParameterArray)
cmd.Connection.Close()
cmd = nothing
end function
Does anyone on this list have any feelings on whether or not this is a good
way to defeat SQL injection? This seems to defeat everything we've been able
to throw at it - though, we are not experts!
I would definitely appreciate your opinions on this.
Dain White
Senior Developer / Webmaster
First Step Internet - www.fsr.com
208-882-8869 ext. 440
-----Original Message-----
From: Davidson, Michelle [mailto:MDavidson@xxxxxxxxxxxxxx]
Sent: Monday, April 10, 2006 2:15 PM
To: dainw@xxxxxxx; websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column
on biometrics
I checked with the author on this, and here is what he said:
"I did cover it in my article, but it was more in terms of Java then ASP.
If you look at point 9 of the 10 steps I mentioned in the article. It talks
about using dynamic queries instead of static queries. Static queries are
also known as parameterized queries and in point 9 I am trying to convey the
same message. In Java parametrized queries are created by using Statement
object and dynamic queries are created using PreparedStatement object. So,
by avoiding Statement object, the developers are avoiding parameterized
queries."
Michelle
From: dpw [mailto:dainw@xxxxxxx]
Sent: Monday, April 10, 2006 1:23 PM
To: websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column
on biometrics
This is a well thought out article - though it omits mention of
parameterized queries...
Does anyone on this list have information on why parameterized queries
wouldn't be recommended to mitigate risk of SQL injection?
Dain White
Senior Developer / Webmaster
dainw@xxxxxxx 208.882.8869 X440
-----Original Message-----
From: Davidson, Michelle [mailto:MDavidson@xxxxxxxxxxxxxx]
Sent: Monday, April 10, 2006 9:57 AM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Tip on preventing SQL injection attacks/column on
biometrics
A frequent contributor to SearchAppSecurity.com -- Anurag Agarwal -- has
written a couple pieces you might be interested in.
Note: Free registration to SearchAppSecurity.com required.
SQL injection: Developers fight back
http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179106,00.htm
l?Offer=WASC
Biometrics replacing passwords: Does authentication get better or worse?
http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179280,00.htm
l?Offer=WASC
Michelle
Michelle Davidson
Editor
SearchAppSecurity.com
TechTarget
4025 Sea Grape Circle
Delray Beach, FL 33445
Phone: 561-302-1120
Fax: 561-496-1860
AIM: MicheDav910
TechTarget
The Most Targeted IT Media
www.techtarget.com
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
Brought to you by http://www.webappsec.org
Search this site
|