First time here? You are looking at the most recent posts. You may also want to check out older archives or the tag cloud. Please leave a comment, ask a question and consider subscribing to the latest posts via RSS. Thank you for visiting! (hide this)

This is the best anti-pattern about security and SQL Injection on the web. Today I found, via <edit>, html.it blog, a CMS that use a "creative" approach to get data from the DB: passing the SQL string directly as querystring to the page. Here is an example:

newssearch.asp?strSQL=SELECT+*+FROM+news+WHERE+(+lingua+%3D+'ENG')

And if you search on Google for "allinurl:sql select from where", you will find heaps of pages that use this approach (tonight the results were 111.000). I found sites built in ASP Classic, PHP, cgi, Perl, seems quite a widespread technique.

What if someone writes DROP TABLE NEWS instead of SELECT ...?

Technorati tags: ,

kick it on DotNetKicks.com

posted on Tuesday, July 17, 2007 10:17 PM

Comments on this entry:

# re: How NOT to prevent SQL Injection

Left by Mark at 7/17/2007 11:13 PM

They should fire the guys that developed that CMS... or better, shoot them :)

# re: How NOT to prevent SQL Injection

Left by Si Philp at 7/18/2007 12:34 AM

That's just asking for trouble. When developing I always think security, security,and more security. Worst of it is that SQL Injection white papers have been around for years....

Might take a "drop" here or there before a webmaster acknowledges that there is a problem :O

# re: How NOT to prevent SQL Injection

Left by CLod at 7/28/2007 4:37 AM

ihihih

Comments have been closed on this topic.