Secure Coding mailing list archives
CERIAS : Beware SQL injections due to missing prepared statement support
From: ken at krvw.com (Kenneth Van Wyk)
Date: Thu, 30 Jul 2009 14:37:38 -0400
Here's one for the daily UGH! Great points raised by Pascal Meunier (see below) about poorly implemented language support for Prepared Statement SQL calls. In particular, Python's pyPGSQL actually takes its prepared statement and translates internally to an old-style concatenated string query, thereby opening itself up to various SQL injection vulnerabilities. http://www.cerias.purdue.edu/site/blog/post/beware_sql_injections_due_to_missing_prepared_statement_support/#When :16:32:23Z Interesting article, Pascal. Thanks! Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2252 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20090730/dd2eb7cb/attachment.bin
Current thread:
- CERIAS : Beware SQL injections due to missing prepared statement support Kenneth Van Wyk (Jul 30)
- CERIAS : Beware SQL injections due to missing prepared statement support Pascal Meunier (Jul 30)