You are viewing a plain text version of this content. The canonical link for it is here.
Posted to torque-user@db.apache.org by Markus Müller <sp...@online.de> on 2009/09/16 09:00:33 UTC
Precautions against "SQL Injection"?
Hello,
are there any precautions against SQL Injection?
Example (http://de.wikipedia.org/wiki/SQL_Injection):
User enters the value
sql' ;GO EXEC cmdshell('format C') --
which leads to execution of statement
SELECT url, title FROM myindex
WHERE keyword
LIKE '%sql' ;GO EXEC cmdshell('format C') --%'
instead of
SELECT url, title FROM myindex
WHERE keyword
LIKE '%sql%'
Best regards,
Markus Müller
--
Markus Müller, Karlsruhe, www.mm65.de
---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org
Re: Precautions against "SQL Injection"?
Posted by Luca Ciocci <l....@askweb.it>.
Hi, I don't think that is so easy do SQL Injection with Torque, all
query data are SQL Escaped.
Bye!
Il giorno mer, 16/09/2009 alle 11.10 +0200, Graham Leggett ha scritto:
> Markus Müller wrote:
>
> > are there any precautions against SQL Injection?
>
> My understanding is that all SQL statements generated either use
> prepared statements, or their arguments are escaped as per the
> database's requirements.
>
> If torque allowed sql injection, that would be a major security flaw.
>
> Regards,
> Graham
> --
>
---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org
Re: Precautions against "SQL Injection"?
Posted by Graham Leggett <mi...@sharp.fm>.
Markus Müller wrote:
> are there any precautions against SQL Injection?
My understanding is that all SQL statements generated either use
prepared statements, or their arguments are escaped as per the
database's requirements.
If torque allowed sql injection, that would be a major security flaw.
Regards,
Graham
--