Re: sql server security article at dbazine.com

Karsten Farrell <kfarrell_at_belgariad.com> wrote in message news:<MPG.193801fd8453b295989795_at_news.la.sbcglobal.net>...
> mikharakiri_at_ywho.com said...
> > http://www.dbazine.com/cook8.html
> > <quote>The user entered the following string and was authorized:
> >
> > ' or 1=1--
> >
> > By placing a partial SQL statement into the Username textbox, a hacker
> > "injects" the SQL fragment and thus alters the SQL statement that is
> > executed. The injected SQL fragment actually consists of three different
> > fragments, each with a different purpose</quote>
> >
> >
> > Amaising. Web application design that doesn't bother creating a user as a
> > database user and grant proivileges, but just adds a user record into a
> > table.
> >
> Thanks for reminding us. SQL injection techniques are mentioned quite
> often in security literature ... but it's always good to occasionally
> remind those web form developers who are buried so deep in their work
> they don't have time to read security articles. The same goes for
> injecting HTML tags or javascript or whatever. You can NEVER blindly
> accept what the user types as "good."

The dilbert website had some pretty classic stuff when people first realized they could put whatever html they wanted in their posts. Especially when the webmaster started pulling posts and people would get upset about that!
(IIRC, Scott Adams would post a topic for a list of the day, and people would post funny items and vote on the items. Later, they separated the posting and voting in time to reduce the abuse. Now it seems to be long gone). And of course slashdot wound up putting the url in the visible tag because people would link to disgusting sites labelled as something on topic. And that's just the juvenile stuff.

jg

--
@home.com is bogus.
"The webmaster has been notified.  We will work to correct the
problem."