Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

CERIAS : Beware SQL injections due to missing prepared statement support

From: ken at krvw.com (Kenneth Van Wyk)
Date: Thu, 30 Jul 2009 14:37:38 -0400
Here's one for the daily UGH!

Great points raised by Pascal Meunier (see below) about poorly  
implemented language support for Prepared Statement SQL calls.  In  
particular, Python's pyPGSQL actually takes its prepared statement and  
translates internally to an old-style concatenated string query,  
thereby opening itself up to various SQL injection vulnerabilities.

http://www.cerias.purdue.edu/site/blog/post/beware_sql_injections_due_to_missing_prepared_statement_support/#When 
:16:32:23Z

Interesting article, Pascal.  Thanks!

Cheers,

Ken

-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2252 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20090730/dd2eb7cb/attachment.bin
Previous By Date Next
Previous By Thread Next

Current thread: