Hosting Provided By

RE: Current Project Design, Comments?

From: Michael Loll <mloll(at)pointetech.com>
Date: Fri Feb 14 2003 - 16:15:45 EST

Kevin,

Try this:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht ml/secnetlpMSDN.asp

Yes, I'm only using Stored Procedures for data access/updating. Any time a user wishes to touch the database it will be through our application, no where else. Though I guess an Oracle administrator COULD do whatever they wanted, but you can't stop that.

-----Original Message-----
From: Kevin Spett [mailto:kspett@spidynamics.com] Sent: Friday, February 14, 2003 4:03 PM
To: Michael Loll; webappsec@securityfocus.com Subject: Re: Current Project Design, Comments?

Hmmm... a hot week for SQL injection questions. Simply use Prepared Statements, Stored Procedures and Command Objects to access the database. No "string built" queries. The easiest way to enforce and test this is to make sure that the *only* thing the web app's DB user has access to is a set of stored procedures... It shouldn't even be allowed to run arbitrary SELECT statements on relevent tables.

BTW, could you throw out a link to said whitepaper? Received on Fri Feb 14 16:18:57 2003

This message: [ Message body ]
Next message: Michael Loll: "RE: Current Project Design, Comments?"
Previous message: Brass, Phil (ISS Atlanta): "RE: Current Project Design, Comments?"
Maybe in reply to: Michael Loll: "Current Project Design, Comments?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT

Do you need help?