spi labs wrote: > > The SPI Labs whitepaper on SQL injection has been released. It is > available in PDF format from: > http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf > Really interesting paper. Just scanning it now on page 30: Are you sure you don't mean: s/[^0-9a-zA-Z]//g (remove any character that is not a (US-ASCII) letter or digit) instead of s/^[0-9][a-z][A-Z]//g (remove the first three characters of a line if it starts with a digit, a lower case letter and then an uppercase letter) > Here's the overview: > SQL injection is a technique for exploiting web applications > that use client-supplied data in SQL queries without stripping illegal > characters first. Despite being remarkably simple to protect against, there > is an astonishing number of production systems connected to the Internet > that are vulnerable to this type of attack. The objective of this paper is > to educate the professional security community on the techniques that can be > used to take advantage of a web application that is vulnerable to SQL > injection as well as make clear the correct mechanisms that should be put in > place to protect against SQL injection, as well as input validations > problems in general. > > Please send comments and questions to spilabsat_private -- Med venlig hilsen / Kind regards Hack Kampbjørn
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 16:10:23 PST