For one answer to the question, create a TAF that is used for login, (i.e. searching on userid AND password) and enter the values for userid and password as *'; (star + single-quote + semicolon). If you query breaks the program logic, you have a problem. If it doesn't, your system is innoculated against this kind of SQL injection attack, at least.
As they say, have fun!
Sri Amudhanar
Maxys Corporation
[EMAIL PROTECTED] wrote:
Hello, this issue is known as "SQL injection" problem, search on google for more information.You should use stored proc (if available) or parametized queries, and also rely on argument checking (B) to avoid completely this security issue. Hope this helps. Gauthier ----- Original Message ----- From: "Roland Dumas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 22, 2004 5:52 PM Subject: Re: Witango-Talk: Security questionI want the SHORT answer, something like: A.) If you use witango, a browser-sumitted piece of coding can't affectthedatabase, witango, or a visitor who searches and gets the record with the code. B.) Holy s**t!: You're an idiot of you doing have a layer in front of a submit that searches and kills anything that looks like this..... C.) It is theoretically possible to submit harmful code that might do this..... If someone put some SQL in a text field, for instance, what might happentoit down the line? On a prior project, there was a unix head who thought he could break a witango app by submitting all kinds of junk. He tried and tried andfailed.He put in SQL, unix commands, and all kinds of noise, but all it did was store it and show it back to him when he queried. Is that my answer? I don't need the general theoretical case of a theoretical app, butwitangoas the app server and mysql as the dbms. On 9/22/04 8:39 AM, "William M.Conlon" <[EMAIL PROTECTED]> wrote:Must reading: http://www.owasp.org/documentation/topten.html Welcome to the OWASP Top Ten Project The OWASP Top Ten provides a minimum standard for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, and Korean. A Spanish version is in the works. We urge all companies to adopt the standard within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote:Hi Roland, This is very unlikely; it is more likely that they would try to add sql statements in the input field. First of the data type constraints off the database field would probably either prevent the saving of the offensive code and will most likely truncate it. Even if there is supposedly evil script saved in the data, when pulled from the database it is not being viewed in a manner that will execute it. Plus, most firewalls and antivirus servers and client will block in the unlikely event that the script is intact. I have had this attempt happen to me, but the hacker didn't realize that the form didn't save to the database but was just emailed to me. I have view the code in Outlook without any issues. Ben Johansen -----Original Message----- From: Roland Dumas [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 21, 2004 8:15 PM To: [EMAIL PROTECTED] Subject: Witango-Talk: Security question Have a client who is asking questions about security. Specifically, if there is a field that is entered via web form and then placed in a database, is there the possibility that evil scripts can be submitted that will do evil things either to the database or to a user reading the content of that column?________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ___[ Pub ]____________________________________________________________ Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres ! http://rencontre.rencontres.com/index.php?origine=4___[ Pub ]____________________________________________________________ Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres ! http://rencontre.rencontres.com/index.php?origine=4 ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
-- ****************** Internet Email Confidentiality *********************** Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Maxys Corporation or its affiliates shall be understood as neither given nor endorsed by it. **************************************************************************
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf