Penetration Testing mailing list archives
Re: Row-0 mitigation of SQL injection
From: John Lampe <jwlampe () tenablesecurity com>
Date: Thu, 07 Jun 2007 15:09:44 -0500
Jim Halfpenny wrote:
One way of potentially hobbling simple SQL injection would be to insert a sentinel record at the beginning of the table (hence the row-0 concept). This this row is ever returned the the application can be made aware something bad has happened. Does this sound like a good idea, or does it encourage poor coding by having a safety net? All comments welcome. Jim
I like the 'canary' idea, but I wouldn't just look at row 0. A lot of companies embed binary watermarks inside confidential files, bogus user information inside a Credit Card database, etc. This information can then be used by their IDS or passive scanner to detect when a breach has occurred. Of course, you should still sanitize user-supplied data, scan your apps, do source code audits, etc. ... -- John Lampe Senior Security Researcher TENABLE Network Security, Inc. jwlampe@{nessus.org,tenablesecurity.com} Tele: (410) 872-0555 www.tenablesecurity.com Is your network TENABLE? --------------------------------------- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Row-0 mitigation of SQL injection Jim Halfpenny (Jun 06)
- Re: Row-0 mitigation of SQL injection Liudvikas Jablonskas (Jun 07)
- Re: Row-0 mitigation of SQL injection Zed Qyves (Jun 07)
- Re: Row-0 mitigation of SQL injection Sony C (Jun 07)
- Re: Row-0 mitigation of SQL injection Hubert Seiwert (Jun 07)
- Re: Row-0 mitigation of SQL injection John Lampe (Jun 07)
- <Possible follow-ups>
- Re: Row-0 mitigation of SQL injection mailbox () martinelli com (Jun 06)