Re: [Owasp-Malaysia] Mysql.com get sql injection

David Fetter Mon, 28 Mar 2011 09:09:58 -0700

On Mon, Mar 28, 2011 at 11:02:26PM +0800, Hasanuddin Abu Bakar wrote:
> Nice one
> http://hackingexpose.blogspot.com/2011/03/mysqlcom-hacked-via-sql-injection-vuln.html


Now remember, kids, prepared statements always beat string
manipulation...unless you're the attacker, in which case it's 180
degrees different.

I leave it as an exercise for the student to infer what this says
about ORMs which generate queries via the aforementioned string
manipulation.

Cheers,
David.
-- 
David Fetter <[email protected]> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: [email protected]
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
_______________________________________________
Owasp-Malaysia mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-malaysia

OWASP Malaysia Wiki
http://www.owasp.my

OWASP Malaysia Facebook
http://www.facebook.com/OWASP.Malaysia

OWASP Malaysia Twitter #owaspmy
http://www.twitter.com/owaspmy

Re: [Owasp-Malaysia] Mysql.com get sql injection

Reply via email to