On Fri, 2002-11-29 at 03:18, Tim Bunce wrote: > An interesting article on SQL Injection attacks (where a database > query can be modified to perform unintended actions): > > http://online.securityfocus.com/infocus/1644 > > The article has a strong Oracle focus but the issues apply to many > databases (even more so to those that allow multiple statements in > a single database request).
Indeed. Which is why I advocate the use of stored procedures for all data access, and revoking *all* access to the underlying tables for the users running the CGI scripts (or other non-safe scripts). Michael > -- > Michael Peppler / [EMAIL PROTECTED] / http://www.mbay.net/~mpeppler > [EMAIL PROTECTED] / ZetaTools, Inc / http://www.zetatools.com > ZetaTools: Call perl functions as Sybase stored procedures!
signature.asc
Description: This is a digitally signed message part
