Hello, this issue is known as "SQL injection" problem, search on google for more information.
You should use stored proc (if available) or parametized queries, and also rely on argument checking (B) to avoid completely this security issue. Hope this helps. Gauthier ----- Original Message ----- From: "Roland Dumas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 22, 2004 5:52 PM Subject: Re: Witango-Talk: Security question > > I want the SHORT answer, something like: > > A.) If you use witango, a browser-sumitted piece of coding can't affect the > database, witango, or a visitor who searches and gets the record with the > code. > B.) Holy s**t!: You're an idiot of you doing have a layer in front of a > submit that searches and kills anything that looks like this..... > C.) It is theoretically possible to submit harmful code that might do > this..... > > If someone put some SQL in a text field, for instance, what might happen to > it down the line? > > On a prior project, there was a unix head who thought he could break a > witango app by submitting all kinds of junk. He tried and tried and failed. > He put in SQL, unix commands, and all kinds of noise, but all it did was > store it and show it back to him when he queried. Is that my answer? > > I don't need the general theoretical case of a theoretical app, but witango > as the app server and mysql as the dbms. > > > > On 9/22/04 8:39 AM, "William M.Conlon" <[EMAIL PROTECTED]> wrote: > > > Must reading: > > > > http://www.owasp.org/documentation/topten.html > > > > Welcome to the OWASP Top Ten Project > > > > The OWASP Top Ten provides a minimum standard for web application > > security. The OWASP Top Ten represents a broad consensus about what the > > most critical web application security flaws are. Project members > > include a variety of security experts from around the world who have > > shared their expertise to produce this list. There are currently > > versions in English, French, Japanese, and Korean. A Spanish version is > > in the works. We urge all companies to adopt the standard within their > > organization and start the process of ensuring that their web > > applications do not contain these flaws. Adopting the OWASP Top Ten is > > perhaps the most effective first step towards changing the software > > development culture within your organization into one that produces > > secure code. > > > > > > On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote: > > > >> Hi Roland, > >> > >> This is very unlikely; it is more likely that they would try to add sql > >> statements in the input field. > >> > >> First of the data type constraints off the database field would > >> probably > >> either prevent the saving of the offensive code and will most likely > >> truncate it. > >> > >> Even if there is supposedly evil script saved in the data, when pulled > >> from > >> the database it is not being viewed in a manner that will execute it. > >> > >> Plus, most firewalls and antivirus servers and client will block in the > >> unlikely event that the script is intact. > >> > >> I have had this attempt happen to me, but the hacker didn't realize > >> that the > >> form didn't save to the database but was just emailed to me. I have > >> view the > >> code in Outlook without any issues. > >> > >> Ben Johansen > >> > >> -----Original Message----- > >> From: Roland Dumas [mailto:[EMAIL PROTECTED] > >> Sent: Tuesday, September 21, 2004 8:15 PM > >> To: [EMAIL PROTECTED] > >> Subject: Witango-Talk: Security question > >> > >> Have a client who is asking questions about security. Specifically, if > >> there > >> is a field that is entered via web form and then placed in a database, > >> is > >> there the possibility that evil scripts can be submitted that will do > >> evil > >> things either to the database or to a user reading the content of that > >> column? > >> > > > ________________________________________________________________________ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > > ___[ Pub ]____________________________________________________________ > Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres ! > http://rencontre.rencontres.com/index.php?origine=4 ___[ Pub ]____________________________________________________________ Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres ! http://rencontre.rencontres.com/index.php?origine=4 ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
