-- www.adOpenStatic.com/cs/blogs/ken/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ : From: thelist-bounces at lists.evolt.org [mailto:thelist- : bounces at lists.evolt.org] On Behalf Of Matt Warden : Subject: Re: [thelist] Need help with a simple regex (Monday annoyance) : : Jonathan, : : On Apr 4, 2005 7:42 PM, Jonathan Dillon <jdillon at boehm-ritter.com> wrote: : > I have a field in an application that has a single text input that can : > search multiple datatypes with the use of a pulldown. Easy to hook it : > up, but now I want to make sure that SQL injection attacks are : > completely not possible. : : I think we showed in an earlier thread that you can basically guard : against this by escaping single quotes. There was some discussion also : about encoding attacks, but it seemed to be largely theoretical, as we : could not get an example of the attack to work. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unfortunately, none of us (AFAIK) are experts on this. If people like Michael Howard (author of Writing Secure Code [1]) and David Litchfield (NGSS - he's discovered how many vulnerabilities in various pieces of software? [2]) say it's possible, then I take their word for it (especially over people here who say "they can't get it to work" - no offence intended, but I think the former two know a lot more about what they are talking about). Cheers Ken [1] http://www.amazon.com/exec/obidos/ASIN/0735617228/ [2] http://www.google.com/search?q=site%3Amicrosoft.com+David+Litchfield http://www.google.com/search?q=site%3Aoracle.com+David+Litchfield http://www.google.com/search?q=site%3Aibm.com+David+Litchfield