Hi,
I actually saw this kind of blasphemy several years ago -- an
application that builds a SQL query using client-side JavaScript. The
complete SQL query was then passed as a hidden parameter to the web
application...
Go figure...
-Ory Segal
http://www.watchfire.com
-----Original Message-----
From: bryan allott [mailto:homegrown@bryanallott.net]
Sent: Thursday, October 05, 2006 5:35 PM
To: webappsec@securityfocus.com; websecurity@webappsec.org
Subject: [WEB SECURITY] Re: SQL In the Request
Just when i thought i had seen it all... -i come across a site which
passes in the following as part of the REQUEST..
yes, the SWF builds a request and sends it through to a php server... in
plain text.
POST /flashsql.php?id=106 HTTP/1.1
= QUERYSTRING ====
id=106
= BODY ====
host=<HOSTNAME>
sql_=SELECT DISTINCT(movies.id), movies.name, filename FROM movies LEFT
JOIN groups_movies ON (movies.id = groups_movies.movie_id) LEFT JOIN
groups ON (groups.id = groups_movies.group_id) LEFT JOIN files_groups ON
(groups.id = files_groups.group_id) LEFT JOIN files ON (files.id =
files_groups.file_id) WHERE movies.id IN(155,150,52,149,134,133,76) AND
files.file_type_id=9 ORDER BY movies.id
dat=sk_cms
is there anyway that this can be "acceptable" ?
------------------------------------------------------------------------
----
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire has new programs available for pen testers and consultants to
use AppScan in client engagements. AppScan is the leading Web application
assessment tool. Want to see it for yourself? Take a look today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------
