cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Gallardo Rivera <agalla...@agsoftware.dnsalias.com>
Subject Re: A case of SQL injection
Date Tue, 05 Nov 2002 21:38:10 GMT
Just a question. Please dont take it wrong.

Can you send a "DROP TABLE mytable" in the following example of a XSP page? I 
am using mod-db stuff too.

<esql:execute-query>
  <esql:query>
    SELECT * FROM mytable
    WHERE mytable_id=
	<esql:parameter type="int">
	  <xsp:expr>
		Integer.parseInt(
			<xsp-request:get-parameter name="id" default="0"/>
		)
	   </xsp:expr>
         </esql:parameter>
    </esql:query>
</esql:execute-query>

Antonio Gallardo



El Martes, 05 de Noviembre de 2002 14:38, Geoff Howard escribió:
> I just tried it.  Logging in as
>
> Donald Ball'; DROP TABLE employee;
>
> does exactly what you think it would.  It drops the
> table and the next time you try to log in, the table
> is gone and logins fail (DOH - does the hsql db get
> regenerated automatically somehow?)
>
> I have to run out but will put this in Bugzilla later.
>
>
> This combined with the fact that the mod-db stuff
> almost forces you to reveal your actual table and
> column names to the world in your request parameters
> amounts to big trouble.
>
> Geoff
>
> --- Torsten Curdt <tcurdt@dff.st> wrote:
> > On Tue, 2002-11-05 at 19:53, Geoff Howard wrote:
> > > Speaking of protecting against SQL injection - is
> >
> > it
> >
> > > generally known that
> >
> > DatabaseAuthenticatorAction.java
> >
> > > is not using PreparedStatement?  I wonder what
> >
> > logging
> >
> > > in as
> > > Donald Ball'; DROP TABLE user_table;
> > >
> > > would do...?
> >
> > Do you mind trying out and file a bug in bugzilla?
> > ;)
> > --
> > Torsten
>
> ---------------------------------------------------------------------
>
> > To unsubscribe, e-mail:
> > cocoon-dev-unsubscribe@xml.apache.org
> > For additional commands, email:
> > cocoon-dev-help@xml.apache.org
>
> __________________________________________________
> Do you Yahoo!?
> HotJobs - Search new jobs daily now
> http://hotjobs.yahoo.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message