First time here? You are looking at the most recent posts. You may also want to check out older archives or the tag cloud. Please leave a comment, ask a question and consider subscribing to the latest posts via RSS. Thank you for visiting! (hide this)


There are 1 entries for the tag security

How NOT to prevent SQL Injection

This is the best anti-pattern about security and SQL Injection on the web. Today I found, via <edit>, blog, a CMS that use a "creative" approach to get data from the DB: passing the SQL string directly as querystring to the page. Here is an example: newssearch.asp?strSQL=SELECT+*+FROM+news+WHERE+(+lingua+%3D+'ENG') And if you search on Google for "allinurl:sql select from where", you will find heaps of pages that use this approach (tonight the results were 111.000). I found sites built in ASP Classic, PHP, cgi, Perl, seems quite a widespread technique. What if someone writes DROP TABLE NEWS instead of SELECT ...? Technorati tags: sql injection, security