Re: Row-0 mitigation of SQL injection

From: Sony C (raagamuffin@yahoo.com)
Date: Thu Jun 07 2007 - 08:02:18 EDT

• Next message: Hubert Seiwert: "Re: Row-0 mitigation of SQL injection"
• Previous message: Zed Qyves: "Re: Row-0 mitigation of SQL injection"
• In reply to: Jim Halfpenny: "Row-0 mitigation of SQL injection"
• Next in thread: Hubert Seiwert: "Re: Row-0 mitigation of SQL injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

It is probably not a very good idea to build in
security through dummy rows. There may also be
implications in the app development process as some
coding around this dummy row may be required.
A simple sql statement that will return other rows
than the 'top' one:
select * from table1 order by <column number>

where <column number> is the number of a column in the
list of columns that was returned.

Of course there are many other queries that may be
employed to retrieve different rows, some of which are
DB specific.

Regards,
Sony C.

--- Jim Halfpenny <jimsmailinglists@gmail.com> wrote:

> Hi,
> One thing I've noticed about SQL injection is that
> quite often the
> injected code returns a data set and the vulnerable
> application plucks
> the first row from the set. Consider a simple
> example where a login
> form is vulnerable and the following code is
> generated:
>
> select * from users where login = '' or 'a' = 'a';
>
> Instead of returning one row as expected the whole
> table is returned
> and the application more often than not reads the
> first row. This hack
> is especially bad if the first user in the table has
> admin right,
> which is often the case.
>
> One way of potentially hobbling simple SQL injection
> would be to
> insert a sentinel record at the beginning of the
> table (hence the
> row-0 concept). This this row is ever returned the
> the application can
> be made aware something bad has happened.
>
> Does this sound like a good idea, or does it
> encourage poor coding by
> having a safety net? All comments welcome.
>
> Jim
>
>
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
>
------------------------------------------------------------------------
>
>

      ____________________________________________________________________________________
Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

• Next message: Hubert Seiwert: "Re: Row-0 mitigation of SQL injection"
• Previous message: Zed Qyves: "Re: Row-0 mitigation of SQL injection"
• In reply to: Jim Halfpenny: "Row-0 mitigation of SQL injection"
• Next in thread: Hubert Seiwert: "Re: Row-0 mitigation of SQL injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:52 EDT