WASC-Articles Announcement: "The Unexpected SQL Injection" by Alexander "Mordred" Andonov

[announcements () webappsec org]

WASC is proud to present a new WASC-article titled "The Unexpected SQL 
Injection" by Alexander "Mordred" Andonov. This article surveys several 
scenarios under which SQL injection may occur, even though 
mysql_real_escape_string() has been used. There are two major steps at 
writing SQL injection resistant code: correct validation and escaping of 
input and proper use of the SQL syntax. Failure to comply with any of 
them may lead to compromise. Many of the specific issues are already 
known, but no single document mentions them all.

Although the examples in the paper make use of PHP/MySQL, the same 
principles apply to ASP/MSSQL and other combinations of languages and 
databases.

The paper can be found in 
http://www.webappsec.org/projects/articles/091007.shtml

Regards,
The WASC-Articles team
http://www.webappsec.org/projects/articles/
http://www.webappsec.org/ The Web Application Security Consortium

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------