Network Security: Detailed info on Re: SQL injection

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Pen-Test

[Top] [All Lists]

Re: SQL injection

from [Hernán M. Racciatti] Network Security

[Permanent Link]

Subject:	Re: SQL injection
Date:	Fri, 10 Jun 2005 15:40:22 -0300

On 6/10/05, Leandro Reox <lmet5on@fibertel.com.ar> wrote:

Like Todd says "nothing is 100% secure"


Is the real life...

so wellcoded web apps + good sigs
based detections + good db diagramming + a lot of conscience makes a nice
combo.


I agree, but I would add one or two additional items: security in
depth and less privileges...

p.d: In SQL Injection tactics, evasion OFTEN is possible ej:

'OR 1=1--
'OR1=1--
'or2>1--
%27%4f%52%20%31%3d%31%2d%2d
%27%4f%52%20'a'=N'a'
etc...

Config n signatures is theoretically possible, but not in practical terms...

Clean code is the only last defense.. 

My 2 cent.
Bye.

-- 
Hernán Marcelo Racciatti

Core Team Member ISECOM (Institute for Security and Open Methodologies)
Coordinator OISSG, Argentina (Open Information System Security Group)

[mailto:hracciatti@gmail.com]
[http://www.hernanracciatti.com.ar]

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Exploit Repositories and Due Diligence, (continued) Exploit Repositories and Due Diligence, Jeff RE: Exploit Repositories and Due Diligence, Leandro Reox RE: Exploit Repositories and Due Diligence, Sahir Hidayatullah RE: Exploit Repositories and Due Diligence, Carl Tucker RE: Exploit Repositories and Due Diligence, Carl Tucker Re: SQL injection, Tim Re: SQL injection, James Riden RE: SQL injection, Leandro Reox RE: SQL injection, Todd Towles RE: SQL injection, Leandro Reox Re: SQL injection, Hernán M. Racciatti <= Re: SQL injection, DokFLeed RE: SQL injection, Faisal Khan RE: SQL injection, Faiz Ahmad Shuja

Previous by Date:	Re: Why Penetration Test?, Terry Vernon
Next by Date:	RE: Why Penetration Test?, Erin Carroll
Previous by Thread:	RE: SQL injection, Leandro Reox
Next by Thread:	Re: SQL injection, DokFLeed
Indexes:	[Date] [Thread] [Top] [All Lists]