[SC-L] CERIAS : Beware SQL injections due to missing prepared statement support
Kenneth Van Wyk
ken at krvw.com
Thu Jul 30 14:37:38 EDT 2009
Here's one for the daily UGH!
Great points raised by Pascal Meunier (see below) about poorly
implemented language support for Prepared Statement SQL calls. In
particular, Python's pyPGSQL actually takes its prepared statement and
translates internally to an old-style concatenated string query,
thereby opening itself up to various SQL injection vulnerabilities.
http://www.cerias.purdue.edu/site/blog/post/beware_sql_injections_due_to_missing_prepared_statement_support/#When
:16:32:23Z
Interesting article, Pascal. Thanks!
Cheers,
Ken
-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
(This email is digitally signed with a free x.509 certificate from
CAcert. If you're unable to verify the signature, try getting their
root CA certificate at http://www.cacert.org -- for free.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2252 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20090730/dd2eb7cb/attachment.bin
More information about the SC-L
mailing list