Vulnerability Development mailing list archives
Re: SPI Labs SQL Injection Whitepaper Released
From: Hack Kampbjørn <hack () kampbjorn com>
Date: Thu, 31 Jan 2002 00:55:22 +0100
spi labs wrote:
The SPI Labs whitepaper on SQL injection has been released. It is available in PDF format from: http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
Really interesting paper. Just scanning it now on page 30: Are you sure you don't mean: s/[^0-9a-zA-Z]//g (remove any character that is not a (US-ASCII) letter or digit) instead of s/^[0-9][a-z][A-Z]//g (remove the first three characters of a line if it starts with a digit, a lower case letter and then an uppercase letter)
Here's the overview: SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping illegal characters first. Despite being remarkably simple to protect against, there is an astonishing number of production systems connected to the Internet that are vulnerable to this type of attack. The objective of this paper is to educate the professional security community on the techniques that can be used to take advantage of a web application that is vulnerable to SQL injection as well as make clear the correct mechanisms that should be put in place to protect against SQL injection, as well as input validations problems in general. Please send comments and questions to spilabs () spidynamics com
-- Med venlig hilsen / Kind regards Hack Kampbjørn
Current thread:
- SPI Labs SQL Injection Whitepaper Released spi labs (Jan 29)
- Re: SPI Labs SQL Injection Whitepaper Released Hack Kampbjørn (Jan 30)