Re: SPI Labs SQL Injection Whitepaper Released

[Hack Kampbjørn <hack () kampbjorn com>]

spi labs wrote:
>     The SPI Labs whitepaper on SQL injection has been released.  It is
> available in PDF format from:
> http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

Really interesting paper. Just scanning it now

on page 30: Are you sure you don't mean:
s/[^0-9a-zA-Z]//g (remove any character that is not a (US-ASCII) letter
or digit) instead of
s/^[0-9][a-z][A-Z]//g (remove the first three characters of a line if it
starts with a digit, a lower case letter and then an uppercase letter)


> Here's the overview:
>             SQL injection is a technique for exploiting web applications
> that use client-supplied data in SQL queries without stripping illegal
> characters first.  Despite being remarkably simple to protect against, there
> is an astonishing number of production systems connected to the Internet
> that are vulnerable to this type of attack.  The objective of this paper is
> to educate the professional security community on the techniques that can be
> used to take advantage of a web application that is vulnerable to SQL
> injection as well as make clear the correct mechanisms that should be put in
> place to protect against SQL injection, as well as input validations
> problems in general.
>
> Please send comments and questions to spilabs () spidynamics com

-- 
Med venlig hilsen / Kind regards

Hack Kampbjørn