Not necessary, for example a SQL query like SELECT * FROM users WHERE username='$username' AND password='$password'
A maliciousness user could enter a username and password like bla' OR '1' = '1 and end up logging you in as the first user - often an admin user. because with naive string substition the query would be SELECT * FROM users WHERE username='bla' OR '1' = '1' AND password='bla' OR '1' = '1' which on many databases would just match every row. That exact form wouldnt work on GQL either, but pretty sure there would be similar ones. On 29 November 2010 20:09, Ikai Lan (Google) <ikai.l+gro...@google.com> wrote: > Doesn't that require the SQL parser to understand semi-colons? GQL does not. > -- > Ikai Lan > Developer Programs Engineer, Google App Engine > Blogger: http://googleappengine.blogspot.com > Reddit: http://www.reddit.com/r/appengine > Twitter: http://twitter.com/app_engine > > > On Fri, Nov 26, 2010 at 6:41 AM, Barry Hunter <barrybhun...@gmail.com> > wrote: >> >> Even read-only SQL injection has its 'uses'. Ie. it can be used to >> exploit 'SELECT's. >> >> For example, in some systems, depending on how login is implemented >> its possible to use SQL injection to login as an admin user - to pick >> one possible use. >> >> On 26 November 2010 13:38, Tim Hoffman <zutes...@gmail.com> wrote: >> > GQL is read only , so you can't inject anything if your using GQL, or >> > for that matter Query objects. >> > >> > T >> > >> > On Nov 26, 8:37 pm, pdknsk <pdk...@googlemail.com> wrote: >> >> And by clarify I mean verify. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Google App Engine" group. >> > To post to this group, send email to google-appeng...@googlegroups.com. >> > To unsubscribe from this group, send email to >> > google-appengine+unsubscr...@googlegroups.com. >> > For more options, visit this group at >> > http://groups.google.com/group/google-appengine?hl=en. >> > >> > >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To post to this group, send email to google-appeng...@googlegroups.com. >> To unsubscribe from this group, send email to >> google-appengine+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to google-appeng...@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
