Penetration Testing mailing list archives
Re: SQL injection
From: Hernán M. Racciatti <hracciatti () gmail com>
Date: Fri, 10 Jun 2005 15:40:22 -0300
On 6/10/05, Leandro Reox <lmet5on () fibertel com ar> wrote:
Like Todd says "nothing is 100% secure"
Is the real life...
so wellcoded web apps + good sigs based detections + good db diagramming + a lot of conscience makes a nice combo.
I agree, but I would add one or two additional items: security in depth and less privileges... p.d: In SQL Injection tactics, evasion OFTEN is possible ej: 'OR 1=1-- 'OR1=1-- 'or2>1-- %27%4f%52%20%31%3d%31%2d%2d %27%4f%52%20'a'=N'a' etc... Config n signatures is theoretically possible, but not in practical terms... Clean code is the only last defense.. My 2 cent. Bye. -- Hernán Marcelo Racciatti Core Team Member ISECOM (Institute for Security and Open Methodologies) Coordinator OISSG, Argentina (Open Information System Security Group) [mailto:hracciatti () gmail com] [http://www.hernanracciatti.com.ar]
Current thread:
- Exploit Repositories and Due Diligence, (continued)
- Exploit Repositories and Due Diligence Jeff (Jun 09)
- RE: Exploit Repositories and Due Diligence Leandro Reox (Jun 09)
- RE: Exploit Repositories and Due Diligence Sahir Hidayatullah (Jun 10)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 14)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 20)
- Re: SQL injection Tim (Jun 09)
- Re: SQL injection James Riden (Jun 09)
- RE: SQL injection Leandro Reox (Jun 09)
- RE: SQL injection Todd Towles (Jun 09)
- RE: SQL injection Leandro Reox (Jun 10)
- Re: SQL injection Hernán M . Racciatti (Jun 10)
- Re: SQL injection DokFLeed (Jun 10)
- RE: SQL injection Leandro Reox (Jun 10)
- RE: SQL injection Faiz Ahmad Shuja (Jun 12)