[38078] in bugtraq
Re: Paper: SQL Injection Attacks by Example
daemon@ATHENA.MIT.EDU (Cory Foy)
Wed Jan 5 17:15:19 2005
Message-ID: <41DC547C.7000501@mobilehwy.com>
Date: Wed, 05 Jan 2005 15:56:28 -0500
From: Cory Foy <Cory.Foy@mobilehwy.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <8DC79B1EA961734C852BE2D5ECC069A001A7E220@usilms26.ca.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Scovetta, Michael V wrote:
> At least in MSSQL, you'd have to do something bad like use sp_executesql
> or some other function that will re-form a complete sql query and pass
> that to the interpreter. As long as you do more sensible stuff like:
>
> insert into table (name, age) values (@b, @a)
>
> you should be fine.
Except that I've seen webbie-type people who will execute a stored proc
by doing:
strSQL = "exec userLogin " + userName + " " + userPassword
which would be still be subject to a SQL Injection attack if I simply
had a semicolon in the userPassword and then was able to pass any other
query to it.
Cory
