Penetration Testing mailing list archives

Re: SQL injection

From: Hernán M. Racciatti <hracciatti () gmail com>
Date: Fri, 10 Jun 2005 15:40:22 -0300

On 6/10/05, Leandro Reox <lmet5on () fibertel com ar> wrote:

Like Todd says "nothing is 100% secure"


Is the real life...

so wellcoded web apps + good sigs
based detections + good db diagramming + a lot of conscience makes a nice
combo.


I agree, but I would add one or two additional items: security in
depth and less privileges...

p.d: In SQL Injection tactics, evasion OFTEN is possible ej:

'OR 1=1--
'OR1=1--
'or2>1--
%27%4f%52%20%31%3d%31%2d%2d
%27%4f%52%20'a'=N'a'
etc...

Config n signatures is theoretically possible, but not in practical terms...

Clean code is the only last defense.. 

My 2 cent.
Bye.

-- 
Hernán Marcelo Racciatti

Core Team Member ISECOM (Institute for Security and Open Methodologies)
Coordinator OISSG, Argentina (Open Information System Security Group)

[mailto:hracciatti () gmail com]
[http://www.hernanracciatti.com.ar]

Current thread:

Exploit Repositories and Due Diligence, (continued)
- - - Exploit Repositories and Due Diligence Jeff (Jun 09)
    - RE: Exploit Repositories and Due Diligence Leandro Reox (Jun 09)
    - RE: Exploit Repositories and Due Diligence Sahir Hidayatullah (Jun 10)
    - RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 14)
    - RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 20)
  - Re: SQL injection Tim (Jun 09)
    - Re: SQL injection James Riden (Jun 09)
  - RE: SQL injection Leandro Reox (Jun 09)
- RE: SQL injection Todd Towles (Jun 09)
  - RE: SQL injection Leandro Reox (Jun 10)
    - Re: SQL injection Hernán M . Racciatti (Jun 10)
    - Re: SQL injection DokFLeed (Jun 10)
- RE: SQL injection Faisal Khan (Jun 12)
  - RE: SQL injection Faiz Ahmad Shuja (Jun 12)