"Mikito Harakiri" <mikharakiri_at_ywho.com> wrote in message news:moeza.14$zV2.156_at_news.oracle.com...
> http://www.dbazine.com/cook8.html
> <quote>The user entered the following string and was authorized:
>
> ' or 1=1--
>
> By placing a partial SQL statement into the Username textbox, a hacker
> "injects" the SQL fragment and thus alters the SQL statement that is
> executed. The injected SQL fragment actually consists of three different
> fragments, each with a different purpose</quote>
>
>
> Amaising. Web application design that doesn't bother creating a user as a
> database user and grant proivileges, but just adds a user record into a
> table.
>
Not at all that amazing. It's actually designer's choice how the application
should manage user accounts, especially when the application targets
several different databases, which all have different security mechanisms.
All SQL injection attacks are not due to poor design, but due to poor coding:
not using bind variables where they are due, but instead concatenating
strings read from a web form input into the SQL statement - not only this
approach opens a hole allowing an attacker to inject her own SQL into the
statement, but this kills application performance because the application
generates myriad of different unshareable statements where it could in fact
generate just a few or single shareable statement immune to SQL injection
attacks.
--
Vladimir Zakharychev (bob@dpsp-yes.com) http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.
Received on Thu May 22 2003 - 23:56:56 CDT
