sql server security article at dbazine.com

From: Mikito Harakiri <mikharakiri_at_ywho.com>
Date: Thu, 22 May 2003 17:53:06 -0700
Message-ID: <moeza.14$zV2.156@news.oracle.com>

http://www.dbazine.com/cook8.html
<quote>The user entered the following string and was authorized:

' or 1=1--

By placing a partial SQL statement into the Username textbox, a hacker "injects" the SQL fragment and thus alters the SQL statement that is executed. The injected SQL fragment actually consists of three different fragments, each with a different purpose</quote>

Amaising. Web application design that doesn't bother creating a user as a database user and grant proivileges, but just adds a user record into a table. Received on Thu May 22 2003 - 19:53:06 CDT

This message: [ Message body ]
Next message: SAP BASIS Consultant: "Does 'Analyze Index <IndexName> Validate Structure' Lock for DML Operations?"
Previous message: Bob: "Re: truncate command 8.1.7. locally managed tablespaces"
Next in thread: Vladimir M. Zakharychev: "Re: sql server security article at dbazine.com"
Reply: Vladimir M. Zakharychev: "Re: sql server security article at dbazine.com"
Reply: Karsten Farrell: "Re: sql server security article at dbazine.com"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US