Re: Will Insensitive Like become potential sql injection?
Re: Will Insensitive Like become potential sql injection?
- Subject: Re: Will Insensitive Like become potential sql injection?
- From: Mike Schrag <email@hidden>
- Date: Thu, 28 Aug 2008 12:04:00 -0400
I wonder if that will introduce SQL injection vulnerability into my
system:
assuming adversary have * or % in his email address query string, will
that hurt my database security?
If you are taking a string from a user and just doing "*" + thatString
+ "*", (or something like that), then, yes, they could inject
additional regexes into that. This isn't quite SQL injection -- I
guess you'd call it "regex injection". As far as whether or not it
impacts your security, it really depends on how you're using the
query. If you're doing "and password like '*..." then i suppose it
could, but if you're just searching, say, product names and someone
puts in a *, it's probably going to potentially just give them
different results. So I guess my point is that if the qualifier in
question is participating in a query where the results of the query
are a security concern, then, yes, you should be careful about the
values you accept there.
ms
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden