Re: SQL injection

From: Hernán M. Racciatti (hracciatti@gmail.com)
Date: Fri Jun 10 2005 - 14:40:22 EDT

• Next message: Terry Vernon: "Re: Why Penetration Test?"
• Previous message: tarunthenut@gmail.com: "Why Penetration Test?"
• In reply to: Leandro Reox: "RE: SQL injection"
• Next in thread: DokFLeed: "Re: SQL injection"
• Reply: DokFLeed: "Re: SQL injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 6/10/05, Leandro Reox <lmet5on@fibertel.com.ar> wrote:

> Like Todd says "nothing is 100% secure"

Is the real life...

> so wellcoded web apps + good sigs
> based detections + good db diagramming + a lot of conscience makes a nice
> combo.

I agree, but I would add one or two additional items: security in
depth and less privileges...

p.d: In SQL Injection tactics, evasion OFTEN is possible ej:

'OR 1=1--
'OR1=1--
'or2>1--
%27%4f%52%20%31%3d%31%2d%2d
%27%4f%52%20'a'=N'a'
etc...

Config n signatures is theoretically possible, but not in practical terms...

Clean code is the only last defense..

My 2 cent.
Bye.

-- 
Hernán Marcelo Racciatti
Core Team Member ISECOM (Institute for Security and Open Methodologies)
Coordinator OISSG, Argentina (Open Information System Security Group)
[mailto:hracciatti@gmail.com]
[http://www.hernanracciatti.com.ar]

• Next message: Terry Vernon: "Re: Why Penetration Test?"
• Previous message: tarunthenut@gmail.com: "Why Penetration Test?"
• In reply to: Leandro Reox: "RE: SQL injection"
• Next in thread: DokFLeed: "Re: SQL injection"
• Reply: DokFLeed: "Re: SQL injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT